CVE-2025-9638

low-risk

Published 2025-12-09

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Portabilis i-Educar allows Stored Cross-Site Scripting (XSS) via the matricula_interna parameter in the educar_usuario_cad.php endpoint. This issue affects i-Educar: 2.10.0.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.8/10 Medium

NETWORK / LOW complexity

Affected Products (1)

I-Educar

Affected Vendors

Portabilis

References (3)

Exploit https://fluidattacks.com/advisories/travis

Product https://github.com/portabilis/i-educar

Exploit https://fluidattacks.com/advisories/travis

/ 100

low-risk

Severity 19/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal