Featured image of post CVE-2026-4355
XSS Moderate I-Educar Security WebApp

CVE-2026-4355

Cross-Site Scripting (XSS) Stored

CVE-2026-4355: Cross-Site Scripting (XSS) Stored in new educar_servidor_curso_lst parameter name

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2026-4355

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the educar_servidor_curso_lst.php endpoint of the I-educar 2.11 application. This vulnerability allows attackers to inject malicious scripts into the name parameter. The injected scripts are stored on the server and executed automatically whenever the ComponenteCurricular/view page is accessed by users, representing a significant security risk.

Details

Vulnerable Endpoint: educar_servidor_curso_lst.php

Parameter: name

PoC

Payload

1

<script>alert(1)</script>

Steps to Reproduce:

Register the payload in the name field at the educar_servidor_curso_lst.php endpoint.

After that, the XSS can be triggered by opening the educar_servidor_curso_lst.php endpoint corresponding to the edited ID.

Impact

  • Session hijacking: Stealing cookies or authentication tokens to impersonate users.
  • Credential theft: Harvesting usernames and passwords using malicious scripts.
  • Malware delivery: Distributing unwanted or harmful code to victims.
  • Privilege escalation: Compromising administrative users through persistent scripts.
  • Data manipulation or defacement: Changing or disrupting site content.
  • Reputation damage: Eroding trust among site users and administrators.

Reference

https://github.com/Saiipe/CVE/blob/main/i-educar%2FCVE-2026-4355.md

Finder

Itauan Santos

By: CVE-Hunters

© 2020 - 2026 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy