Ellucian · Banner Self-Service · CVE-2026-32856
**Name of the Vulnerable Software and Affected Versions**
Ellucian Banner Self-Service versions prior to April T2 release (2025-04-23)
**Description**
A reflected cross-site scripting issue exists where unauthenticated attackers can execute arbitrary JavaScript in a victim's browser. This is achieved by injecting unsanitized input through the `toDateFormat` request parameter in the 'dateConverter' endpoint. Attackers can craft a malicious URL targeting this endpoint to steal session cookies or perform other malicious actions within the context of the victim's browser session.
**Recommendations**
Update to the April T2 release (2025-04-23) or a newer version.
Avoid using the `toDateFormat` parameter in the 'dateConverter' endpoint until the update is applied.