LOWCVE-2026-4495CVSS 3.5

CVE-2026-4495: XSS in atjiu pybbs 6.0.0

Platform

java

Component

pybbs

Fixed in

6.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-4495 describes a cross-site scripting (XSS) vulnerability discovered in atjiu pybbs version 6.0.0. This flaw resides within the create function of the CommentApiController.java file, allowing attackers to inject malicious scripts. The vulnerability is exploitable remotely and a public proof-of-concept is available, increasing the risk of exploitation. A fix is pending.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-4495 allows an attacker to inject arbitrary JavaScript code into the application. This can lead to various malicious actions, including stealing user cookies, redirecting users to phishing sites, or defacing the website. The impact is amplified by the remote accessibility of the vulnerability and the availability of a public exploit, making it easier for attackers to leverage. Given the nature of XSS, attackers could potentially gain access to sensitive user data or compromise the entire application if proper security measures are not in place.

Exploitation Context

A public proof-of-concept exploit for CVE-2026-4495 is already available, indicating a high likelihood of exploitation. The vulnerability was publicly disclosed on 2026-03-20. The CVSS score of 3.5 (LOW) reflects the relatively limited impact and ease of exploitation. It is advisable to prioritize mitigation efforts due to the public availability of the exploit.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.03% (8% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impact

Affected Software

Componentpybbs

Vendoratjiu

Affected rangeFixed in

6.0.0 – 6.0.06.0.1

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2026-03-20
Published2026-03-20
EPSS updated2026-03-28

Unpatched — 65 days since disclosure

Mitigation and Workarounds

Currently, there is no official patch available for CVE-2026-4495. As a temporary workaround, implement strict input validation and output encoding on all user-supplied data within the CommentApiController.java file. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly scan the application for XSS vulnerabilities using automated tools. Monitor application logs for suspicious activity, such as unusual JavaScript execution patterns.

How to fix

Actualizar pybbs a una versión posterior a la 6.0.0 que corrija la vulnerabilidad de Cross-Site Scripting (XSS). Consultar el sitio web del proveedor para obtener la última versión y las instrucciones de actualización.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-4495 — XSS in atjiu pybbs 6.0.0?

CVE-2026-4495 is a cross-site scripting (XSS) vulnerability in atjiu pybbs version 6.0.0, allowing attackers to inject malicious scripts via the create function in CommentApiController.java.

Am I affected by CVE-2026-4495 in atjiu pybbs 6.0.0?

If you are using atjiu pybbs version 6.0.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.

How do I fix CVE-2026-4495 in atjiu pybbs 6.0.0?

Currently, no official patch is available. Implement input validation, output encoding, and consider a WAF as temporary mitigations.

Is CVE-2026-4495 being actively exploited?

A public proof-of-concept exploit exists, suggesting a high likelihood of active exploitation.

Where can I find the official atjiu pybbs advisory for CVE-2026-4495?

Refer to the atjiu pybbs project's official website or GitHub repository for updates and advisories regarding CVE-2026-4495.