CVE-2026-32856

MEDIUMPre-NVD 6.16.1
EchelonGraph scoreHIGH confidence

Score 6.1 from GitHub Security Advisory published 2026-06-09. a secondary CVSS source baseline 6.1; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, secondary
Trending — 3 sources updated this week
6.1
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 6.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the unauthenticated dateConverter endpoint to steal session cookies or perform other malicious actions in the context of the victim's browser session.

CVSS v3
6.1
EG Score
6.1(high)
EPSS
12.5%
KEV
Not listed

Published

June 9, 2026

Last Modified

June 10, 2026

Advisory Details (2)

Auto-updated Jun 15, 2026
No patch confirmed yet.
generic

Ellucian Banner Self-Service Reflected XSS via dateConverter | Advisories | VulnCheck

https://www.vulncheck.com/advisories/ellucian-banner-self-service-reflected-xss-via-dateconverter
generic

Security Researcher Hall of Fame | Ellucian

https://www.ellucian.com/security-researcher-hall-of-fame

Vendor Advisories for CVE-2026-32856(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Frequently asked(5)

What is CVE-2026-32856?
CVE-2026-32856 is a medium vulnerability published on June 9, 2026. Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the…
When was CVE-2026-32856 disclosed?
CVE-2026-32856 was first published in the National Vulnerability Database on June 9, 2026, with the most recent update on June 10, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-32856 actively exploited?
CVE-2026-32856 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 12.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-32856?
CVE-2026-32856 has a CVSS v3 base score of 6.1 (NVD).
How do I remediate CVE-2026-32856?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-32856, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-32856

Explore →

Is Your Infrastructure Affected by CVE-2026-32856?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.