Description
A vulnerability was identified in atjiu pybbs 6.0.0. This affects the function create of the file src/main/java/co/yiiu/pybbs/controller/api/TopicApiController.java. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Published: 2026-03-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The reported vulnerability resides in the create method of TopicApiController.java in atjiu pybbs 6.0.0. The attacker can manipulate request data to inject arbitrary JavaScript, causing a cross‑site scripting flaw. The advisory states the attack can be initiated remotely and an exploit is publicly available. Based on the description, it is inferred that the injected script will execute in a victim’s browser context, potentially enabling actions such as cookie theft or session hijacking.

Affected Systems

Affected product: atjiu pybbs, version 6.0.0. No other vendors or products are listed. The vulnerability is confined to the TopicApiController.create endpoint of that version.

Risk and Exploitability

The CVSS score of 5.1 places this flaw in the medium‑severity range. No EPSS score is reported, and the vulnerability is not listed in the KEV catalog. Nonetheless, the advisory notes that the exploit is publicly available and can be invoked remotely, indicating a realistic risk for publicly reachable instances. The overall threat can increase with the volume of traffic or the sensitivity of information handled by the application.

Generated by OpenCVE AI on March 20, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the availability of a patched version of atjiu pybbs and upgrade if possible.
  • If no patch is available, limit exposure by restricting the TopicApiController create endpoint to trusted IP addresses or an internal network.
  • Apply rigorous input validation or output encoding to fields processed by this endpoint to neutralize script injection.
  • Review existing stored data for malicious scripts and clear any identified content.
  • Monitor web traffic for unexpected script execution and perform regular vulnerability scans to confirm remediation.

Generated by OpenCVE AI on March 20, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Atjiu
Atjiu pybbs
Vendors & Products Atjiu
Atjiu pybbs

Fri, 20 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in atjiu pybbs 6.0.0. This affects the function create of the file src/main/java/co/yiiu/pybbs/controller/api/TopicApiController.java. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Title atjiu pybbs TopicApiController.java create cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Atjiu Pybbs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-24T19:31:55.960Z

Reserved: 2026-03-20T08:38:41.752Z

Link: CVE-2026-4494

cve-icon Vulnrichment

Updated: 2026-03-24T19:31:44.774Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T18:16:17.800

Modified: 2026-03-24T15:54:09.400

Link: CVE-2026-4494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:28:56Z

Weaknesses