Is there a public PoC exploit available for CVE-2025-12297?

Yes, a public proof-of-concept exploit is available for CVE-2025-12297. Prioritise patching immediately. EPSS: 0.0%.

atjiu pybbs CVE-2025-12297

Q: What is the CVSS score of CVE-2025-12297?

CVE-2025-12297 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Information Exposure (CWE-200)

2025-10-27 cna@vuldb.com

Information Disclosure Pybbs

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:36 vuln.today

DescriptionCVE.org

A vulnerability was detected in atjiu pybbs up to 6.0.0. This affects an unknown function of the file UserApiController.java. The manipulation results in information disclosure. The attack may be launched remotely. The exploit is now public and may be used.

AnalysisAI

Unauthenticated authenticated users can disclose sensitive information through an unknown function in UserApiController.java in atjiu pybbs up to version 6.0.0 via remote network access. The vulnerability has a CVSS score of 2.1 with low confidentiality impact and publicly available exploit code, but extremely low real-world exploitation probability (EPSS 0.03%, 8th percentile) and requires authenticated access, limiting practical risk despite public POC availability.

Technical ContextAI

The vulnerability resides in UserApiController.java of atjiu pybbs, a Java-based bulletin board system. The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating improper access controls or information leakage in an API controller handling user-related operations. The affected component processes user data through a REST API endpoint without adequate authorization checks, allowing authenticated users to access information they should not be permitted to view.

RemediationAI

Upgrade atjiu pybbs to a version after 6.0.0 when available from the project maintainers at https://github.com/atjiu/pybbs (confirm patch availability with the upstream project). If an immediate patched version is not available, implement authentication enforcement and access control validation in UserApiController.java by auditing all API endpoints to ensure role-based access control (RBAC) properly restricts user data exposure - specifically, verify that API methods returning user information validate that the requesting user has authorization to view the target user's data. As a compensating control, restrict access to the UserApiController API endpoint at the network level (firewall, reverse proxy) to trusted internal networks only, though this reduces API usability. Consider disabling or masking sensitive user fields (email, phone, profile details) in API responses unless explicitly needed by authenticated users with verified permissions.

CVE-2025-12297 vulnerability details – vuln.today

Back