Description
A vulnerability was determined in kerwincui FastBee up to 1.2.1. The impacted element is the function Add of the file springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNoticeController.java of the component System Notice Handler. This manipulation of the argument noticeContent causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in kerwincui FastBee’s system notice component. By sending a malicious value in the noticeContent field of the Add function, an attacker can inject arbitrary JavaScript that is later rendered by the web interface. This flaw enables remote code execution within the victim’s browser context and can lead to session hijacking or credential theft.

Affected Systems

kerwincui FastBee versions up to and including 1.2.1 are affected. The flaw resides in the file springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNoticeController.java within the System Notice Handler component.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by targeting the web interface and framing malicious content via the noticeContent argument. Since the flaw is publicly disclosed, it is likely that automated or manual exploitation is possible.

Generated by OpenCVE AI on May 3, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update kerwincui FastBee to a version newer than 1.2.1 as soon as a vendor patch is available
  • Sanitize or encode all user‑supplied noticeContent values before rendering them in the UI to prevent execution of injected scripts
  • Apply a strict Content Security Policy and enable X‑XSS‑Protection and X‑Content‑Type‑Options headers to reduce the impact of potential XSS

Generated by OpenCVE AI on May 3, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 04:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in kerwincui FastBee up to 1.2.1. The impacted element is the function Add of the file springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNoticeController.java of the component System Notice Handler. This manipulation of the argument noticeContent causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title kerwincui FastBee System Notice SysNoticeController.java add cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T03:15:33.853Z

Reserved: 2026-05-02T08:34:58.650Z

Link: CVE-2026-7677

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T05:15:58.857

Modified: 2026-05-03T05:15:58.857

Link: CVE-2026-7677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T05:30:05Z

Weaknesses