Platform
php
Opgelost in
2.11.1
A cross-site scripting (XSS) vulnerability has been identified in Portabilis i-Educar version 2.11. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the /intranet/educarservidorcurso_lst.php file, affecting an unknown function. A public exploit is now available.
Successful exploitation of CVE-2026-4355 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the i-Educar interface. The remote nature of the vulnerability means an attacker does not need to be authenticated to exploit it, significantly expanding the potential attack surface. The availability of a public exploit increases the likelihood of widespread exploitation.
CVE-2026-4355 has a LOW CVSS score of 3.5. A public proof-of-concept (PoC) is available, indicating a higher risk of exploitation. The vulnerability was disclosed on 2026-03-17. The vendor, Portabilis, was contacted but did not respond, which may delay the availability of a patch.
Educational institutions and organizations utilizing Portabilis i-Educar version 2.11 are at risk. This includes schools, universities, and training centers that rely on i-Educar for learning management and student information systems. The lack of vendor response increases the risk for these organizations.
• wordpress / composer / npm:
grep -r "educar_servidor_curso_lst.php" /var/www/html/• generic web:
curl -I http://<target>/intranet/educar_servidor_curso_lst.php?Name=<script>alert(1)</script>disclosure
Exploit Status
EPSS
0.03% (8% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-4355 is to upgrade to a patched version of i-Educar. As no fixed version is provided, consider implementing input validation and sanitization on the 'Name' parameter in /intranet/educarservidorcurso_lst.php to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update security policies to address emerging threats.
Werk bij naar een gepatchte versie of pas de beveiligingsmaatregelen toe die door de leverancier worden geboden om de XSS-kwetsbaarheid te mitigeren. Aangezien de leverancier niet heeft gereageerd, wordt aanbevolen om de invoer van het argument 'Name' in het bestand /intranet/educar_servidor_curso_lst.php te controleren en te saneren.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-4355 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar version 2.11, allowing attackers to inject malicious scripts via the 'Name' parameter in a specific file.
If you are using Portabilis i-Educar version 2.11, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
Upgrade to a patched version of i-Educar. Until a patch is released, implement input validation and sanitization on the 'Name' parameter and consider using a WAF.
A public proof-of-concept exists, suggesting a higher likelihood of active exploitation. Monitor your systems for suspicious activity.
Check the Portabilis website and security advisories for updates regarding CVE-2026-4355. As of the disclosure date, no advisory has been published.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.