Platform
php
Component
vulnerability-research
Fixed in
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
2.10.1
CVE-2026-2064 describes a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar versions 2.0 through 2.10. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides within the /intranet/meusdadod.php file, specifically related to the handling of the 'File' argument. A public exploit is available, increasing the likelihood of exploitation.
Successful exploitation of CVE-2026-2064 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. The attacker could potentially steal sensitive information displayed within the i-Educar interface, such as student records or administrative data. Given the publicly available exploit, the risk of exploitation is elevated, particularly for systems that have not been patched. The attack can be launched remotely, expanding the potential attack surface.
CVE-2026-2064 has a LOW CVSS score. A public proof-of-concept (PoC) is available, indicating a moderate risk of exploitation. The vulnerability was disclosed on 2026-02-06. The vendor was contacted but did not respond, which could delay further mitigation efforts.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2064 is to upgrade Portabilis i-Educar to version 2.10 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'File' argument within the /intranet/meusdadod.php file to prevent malicious script injection. Web application firewalls (WAFs) can be configured to detect and block XSS attempts targeting this specific endpoint. Regularly review and update WAF rules to ensure effectiveness. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'File' parameter and verifying that the script is not executed.
Update i-Educar to version 2.10 or higher. This version contains the fix for the Cross-Site Scripting (XSS) vulnerability in the user data page. The update will mitigate the risk of malicious scripts execution in user's browsers.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2064 is a cross-site scripting (XSS) vulnerability in Portabilis i-Educar versions 2.0-2.10, allowing attackers to inject malicious scripts via the /intranet/meusdadod.php endpoint.
You are affected if you are running Portabilis i-Educar versions 2.0 through 2.10 and have not upgraded to version 2.10 or applied appropriate mitigations.
Upgrade to Portabilis i-Educar version 2.10 or later. Implement input validation and sanitization on the 'File' argument as a temporary workaround.
A public exploit exists, indicating a potential for active exploitation, especially for unpatched systems.
Refer to the Portabilis security advisories page for the latest information: [https://portabilis.org/security/](https://portabilis.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.