CVE-2026-4495

LOW

atjiu pybbs CommentApiController.java create cross site scripting

Title source: cna

Description

A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-352021 | atjiu pybbs CommentApiController.java create cross site scripting

https://vuldb.com/?id.352021

Signature, Permissions Required signature permissions-required

VDB-352021 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.352021

Third Party Advisory third-party-advisory

Submit #773780 | atjiu pybbs 6.0.0 Improper Neutralization of Alternate XSS Syntax

https://vuldb.com/?submit.773780

Exploit exploit

https://fx4tqqfvdw4.feishu.cn/docx/PN3YdPBpsowyU1xTV1VcVTm9nzg?from=from_copylink

Scores

CVSS v3 3.5

EPSS 0.0027

EPSS Percentile 18.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (1)

atjiu/pybbs 6.0.0

Published Mar 20, 2026

Tracked Since Mar 21, 2026