← Back
2026-03-20 18:2CVE-2026-4495VulDB
PUBLISHED5.2CWE-79CWE-94

atjiu pybbs CommentApiController.java create cross site scripting

A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Problem type

Affected products

atjiu

pybbs

6.0.0 - AFFECTED

References

VDB-352021 | atjiu pybbs CommentApiController.java create cross site scripting

https://vuldb.com/?id.352021

vdb-entrytechnical-description
VDB-352021 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.352021

signaturepermissions-required
Submit #773780 | atjiu pybbs 6.0.0 Improper Neutralization of Alternate XSS Syntax

https://vuldb.com/?submit.773780

third-party-advisory
fx4tqqfvdw4.feishu.cn

https://fx4tqqfvdw4.feishu.cn/docx/PN3YdPBpsowyU1xTV1VcVTm9nzg?from=from_copylink

exploit

GitHub Security Advisories

GHSA-7r5p-f7h5-h6gp

A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the...

https://github.com/advisories/GHSA-7r5p-f7h5-h6gp

A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-4495

fx4tqqfvdw4.feishu.cn

https://fx4tqqfvdw4.feishu.cn/docx/PN3YdPBpsowyU1xTV1VcVTm9nzg?from=from_copylink

vuldb.com

https://vuldb.com/?ctiid.352021

vuldb.com

https://vuldb.com/?id.352021

vuldb.com

https://vuldb.com/?submit.773780

github.com

https://github.com/advisories/GHSA-7r5p-f7h5-h6gp

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-4495
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-4495",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2026-03-20T18:02:46.439Z",
    "dateReserved": "2026-03-20T08:38:45.780Z",
    "datePublished": "2026-03-20T18:02:46.439Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2026-03-20T18:02:46.439Z"
      },
      "title": "atjiu pybbs CommentApiController.java create cross site scripting",
      "descriptions": [
        {
          "lang": "en",
          "value": "A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks."
        }
      ],
      "affected": [
        {
          "vendor": "atjiu",
          "product": "pybbs",
          "versions": [
            {
              "version": "6.0.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Cross Site Scripting",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Code Injection",
              "cweId": "CWE-94",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.352021",
          "name": "VDB-352021 | atjiu pybbs CommentApiController.java create cross site scripting",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.352021",
          "name": "VDB-352021 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.773780",
          "name": "Submit #773780 | atjiu pybbs 6.0.0 Improper Neutralization of Alternate XSS Syntax",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://fx4tqqfvdw4.feishu.cn/docx/PN3YdPBpsowyU1xTV1VcVTm9nzg?from=from_copylink",
          "tags": [
            "exploit"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "baseScore": 3.5,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "baseScore": 3.5,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
            "baseScore": 4
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-03-20T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2026-03-20T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2026-03-20T09:43:53.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "xcxr (VulDB User)",
          "type": "reporter"
        }
      ]
    }
  }
}