LOWCVE-2026-4494CVSS 3.5

CVE-2026-4494: XSS in atjiu pybbs 6.0.0

Platform

java

Component

pybbs

Fixed in

6.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-4494 describes a cross-site scripting (XSS) vulnerability discovered in atjiu pybbs version 6.0.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability affects versions 6.0.0 through 6.0.0 and is exploitable remotely. A fix is available.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-4494 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's user interface. The attacker could potentially steal sensitive information displayed on the page or redirect users to malicious websites. Given the remote accessibility of the vulnerability, the blast radius extends to all users interacting with the affected pybbs instance.

Exploitation Context

A public proof-of-concept (PoC) for CVE-2026-4494 is available, indicating a relatively high likelihood of exploitation. The vulnerability was publicly disclosed on 2026-03-20. The CVSS score is LOW, suggesting the exploit requires specific conditions or user interaction to be successful, but the availability of a PoC increases the risk. No KEV listing or confirmed exploitation campaigns have been reported as of this date.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.03% (8% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impact

Affected Software

Componentpybbs

Vendoratjiu

Affected rangeFixed in

6.0.0 – 6.0.06.0.1

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2026-03-20
Published2026-03-20
Modified2026-03-24
EPSS updated2026-03-28

Unpatched — 65 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-4494 is to upgrade to a patched version of atjiu pybbs. Until a patched version is available, consider implementing input validation and output encoding on the TopicApiController.java create function to sanitize user-supplied data. Web application firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the create function and verifying that it is properly sanitized.

How to fix

Update pybbs to a version later than 6.0.0. This will fix the Cross-Site Scripting (XSS) vulnerability in the create function of the TopicApiController.java file.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-4494 — XSS in atjiu pybbs 6.0.0?

CVE-2026-4494 is a cross-site scripting (XSS) vulnerability affecting atjiu pybbs version 6.0.0, allowing attackers to inject malicious scripts via the create function.

Am I affected by CVE-2026-4494 in atjiu pybbs 6.0.0?

If you are using atjiu pybbs version 6.0.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.

How do I fix CVE-2026-4494 in atjiu pybbs 6.0.0?

The recommended fix is to upgrade to a patched version of atjiu pybbs. Until a patch is available, implement input validation and output encoding.

Is CVE-2026-4494 being actively exploited?

A public proof-of-concept exists, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.

Where can I find the official atjiu pybbs advisory for CVE-2026-4494?

Refer to the atjiu pybbs project's official website or GitHub repository for the latest security advisories and updates.