{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4355", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-17T18:32:46.571Z", "datePublished": "2026-03-17T23:32:14.049Z", "dateUpdated": "2026-03-18T20:19:52.541Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-17T23:32:14.049Z"}, "title": "Portabilis i-Educar Endpoint educar_servidor_curso_lst.php cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "Portabilis", "product": "i-Educar", "versions": [{"version": "2.11", "status": "affected"}], "cpes": ["cpe:2.3:a:portabilis:i-educar:*:*:*:*:*:*:*:*"], "modules": ["Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Portabilis i-Educar 2.11. This impacts an unknown function of the file /intranet/educar_servidor_curso_lst.php of the component Endpoint. Performing a manipulation of the argument Name results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:C"}}], "timeline": [{"time": "2026-03-17T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-17T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-17T19:37:51.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Saipe (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.351394", "name": "VDB-351394 | Portabilis i-Educar Endpoint educar_servidor_curso_lst.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351394", "name": "VDB-351394 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.772839", "name": "Submit #772839 | portabilis i-educar 2.11 Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/CVE-Hunters/CVE/blob/main/i-educar/XSS_educar_matricula_reclassificar_cad.php.md", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T20:19:46.769127Z", "id": "CVE-2026-4355", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T20:19:52.541Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4355", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T20:19:46.769127Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T20:19:49.813Z"}}], "cna": {"title": "Portabilis i-Educar Endpoint educar_servidor_curso_lst.php cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "Saipe (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:portabilis:i-educar:*:*:*:*:*:*:*:*"], "vendor": "Portabilis", "modules": ["Endpoint"], "product": "i-Educar", "versions": [{"status": "affected", "version": "2.11"}]}], "timeline": [{"lang": "en", "time": "2026-03-17T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-17T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-17T19:37:51.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.351394", "name": "VDB-351394 | Portabilis i-Educar Endpoint educar_servidor_curso_lst.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351394", "name": "VDB-351394 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.772839", "name": "Submit #772839 | portabilis i-educar 2.11 Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/CVE-Hunters/CVE/blob/main/i-educar/XSS_educar_matricula_reclassificar_cad.php.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Portabilis i-Educar 2.11. This impacts an unknown function of the file /intranet/educar_servidor_curso_lst.php of the component Endpoint. Performing a manipulation of the argument Name results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-17T23:32:14.049Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4355", "state": "PUBLISHED", "dateUpdated": "2026-03-18T20:19:52.541Z", "dateReserved": "2026-03-17T18:32:46.571Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-17T23:32:14.049Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Portabilis i-Educar 2.11. This impacts an unknown function of the file /intranet/educar_servidor_curso_lst.php of the component Endpoint. Performing a manipulation of the argument Name results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en Portabilis i-Educar 2.11. Esto afecta una funci\u00f3n desconocida del archivo /intranet/educar_servidor_curso_lst.php del componente Endpoint. Realizar una manipulaci\u00f3n del argumento Name resulta en cross site scripting. El ataque puede ser iniciado remotamente. El exploit ahora es p\u00fablico y puede ser usado. El proveedor fue contactado tempranamente sobre esta divulgaci\u00f3n pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-4355", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-18T00:16:20.683", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/CVE-Hunters/CVE/blob/main/i-educar/XSS_educar_matricula_reclassificar_cad.php.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.351394"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.351394"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.772839"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.11"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "i-Educar", "source": "cna", "vendor": "Portabilis"}, "product": "i-educar", "vendor": "portabilis"}], "analysis": {"en": {"generated_at": "2026-03-18T00:20:28.879998+00:00", "value": {"mitigation_remediation": ["Verify whether Portabilis has released an update for i\u2011Educar 2.11 and apply it immediately if available.", "If no patch exists, restrict or disable access to /intranet/educar_servidor_curso_lst.php or implement input validation to reject JavaScript payloads.", "Deploy web\u2011application firewall rules or content\u2011security\u2011policy headers that block or sanitize XSS attempts.", "Continuously monitor web logs for suspicious activity and audit user sessions for signs of XSS exploitation."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Portabilis i\u2011Educar 2.11 is affected. The CPE identifier for the product is cpe:2.3:a:portabilis:i-educar:*:*:*:*:*:*:*:*. No other versions or products are listed as impacted.", "description_and_impact": "The vulnerability resides in the file /intranet/educar_servidor_curso_lst.php of Portabilis i\u2011Educar 2.11. Manipulation of the Name parameter leads to the injection and execution of arbitrary JavaScript within the victim\u2019s browser, enabling attackers to perform actions such as stealing session cookies, defacing content, or conducting phishing attacks. The weakness is identified by CWE\u201179 (XSS) and CWE\u201194 (Code Injection). The attack may be initiated remotely and the exploit has been publicly disclosed, allowing unprivileged attackers to trigger it via crafted requests.", "risk_and_exploitability": "The CVSS score is 5.1, indicating moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Because the exploit can be executed remotely and is publicly available, the likelihood of attack is high; however, the damage is confined to the browser environment of authenticated or unauthenticated users who interact with the affected endpoint. No vendor\u2011supplied solution or workaround is currently documented, so the risk remains until remediation is applied."}}}}, "created": "2026-03-18T10:42:31.333750+00:00", "updated": "2026-03-24T10:54:19.919828+00:00", "vendors": ["portabilis", "portabilis$PRODUCT$i-educar"]}