CVE-2025-8550

LOW

pybbs < 6.0.0 - Cross-Site Scripting via Username Parameter in Admin Topic List

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-8550. PoCs published by Byte Reaper, byteReaper77.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in atjiu pybbs 6.0.0 by injecting malicious scripts into the application's input fields. It includes multiple XSS payloads and a mechanism to steal cookies by sending them to an attacker-controlled server.

Description

A vulnerability was found in atjiu pybbs up to 6.0.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/topic/list. The manipulation of the argument Username leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22. It is recommended to apply a patch to fix this issue.

Exploits (2)

exploitdb WORKING POC
by Byte Reaper · cwebappsmultiple
https://www.exploit-db.com/exploits/52400

This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in atjiu pybbs 6.0.0 by injecting malicious scripts into the application's input fields. It includes multiple XSS payloads and a mechanism to steal cookies by sending them to an attacker-controlled server.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: atjiu pybbs 6.0.0
No auth needed
Prerequisites: Network access to the target application · A server to receive stolen cookies
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by byteReaper77 · poc
https://github.com/byteReaper77/CVE-2025-8550

This repository contains a functional exploit for CVE-2025-8550, a reflected XSS vulnerability in atjiu pybbs ≤ v6.0.0. The exploit targets the `/admin/topic/list` endpoint's `username` parameter with multiple payload variations, optional cookie exfiltration, and multithreading for efficiency.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: atjiu pybbs ≤ v6.0.0
Auth required
Prerequisites: Target URL · Optional authentication cookies · Optional attacker-controlled server for cookie exfiltration
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.318679
Permissions Required, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.318679
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.622194
Exploit, Issue Tracking issue-tracking
https://github.com/atjiu/pybbs/issues/203
Exploit, Issue Tracking exploit issue-tracking
https://github.com/atjiu/pybbs/issues/203#issue-3256392964

Scores

CVSS v3 2.4
EPSS 0.0067
EPSS Percentile 71.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79 CWE-94
Status published
Products (1)
pybbs_project/pybbs < 6.0.0
Published Aug 05, 2025
Tracked Since Feb 18, 2026