2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
2.10.1
CVE-2025-8918 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar versions 2.0 through 2.10. This vulnerability allows attackers to inject malicious scripts into the application via manipulation of the 'neighborhood name' argument within the /intranet/educarinstituicaocad.php file. A patch is available in version 2.10.1, addressing this security concern.
Successful exploitation of CVE-2025-8918 allows an attacker to execute arbitrary JavaScript code in the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the i-Educar interface, and theft of sensitive information like user credentials or personal data. The vulnerability's remote accessibility significantly broadens the potential attack surface, as attackers can initiate the exploit from anywhere with network access to the i-Educar instance. The impact is amplified if the i-Educar system is used to manage sensitive student or institutional data.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While no active campaigns have been definitively linked to CVE-2025-8918 at the time of writing, the availability of public information makes it a potential target for opportunistic attackers. The vulnerability was reported to the vendor, but they did not respond. It is not listed on KEV or EPSS.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-8918 is to upgrade i-Educar to version 2.10.1 or later, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing input validation and sanitization on the 'neighborhood name' parameter within the /intranet/educarinstituicaocad.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can provide an additional layer of defense. Regularly review and update i-Educar's security configuration to minimize the risk of similar vulnerabilities.
Update i-Educar to the latest available version. If no version is available, review the code of /intranet/educar_instituicao_cad.php and properly filter or escape the input of the 'neighborhood name' parameter to prevent the execution of unwanted JavaScript code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-8918 is a cross-site scripting (XSS) vulnerability in Portabilis i-Educar versions 2.0 through 2.10, allowing attackers to inject malicious scripts.
You are affected if you are running i-Educar versions 2.0 through 2.10. Upgrade to 2.10.1 or later to mitigate the risk.
Upgrade i-Educar to version 2.10.1 or later. As a temporary workaround, implement input validation on the 'neighborhood' parameter.
While no confirmed active campaigns are known, the public disclosure increases the risk of exploitation.
Refer to the Portabilis security advisories page for updates and official information regarding CVE-2025-8918.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.