CVE-2026-32856 Ellucian Banner Self-Service Reflected XSS via dateConverter

Ellucian Banner Self-Service before the April T2 release 2025-04-23 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the...

CVE-2026-32856

Ellucian Banner Self-Service (before the April T2 release, 2025-04-23) contains a reflected XSS flaw in the dateConverter endpoint’s toDateFormat parameter. An unauthenticated attacker can craft a malicious URL to inject unsanitized input, causing the victim’s browser to execute arbitrary JavaScr...