Is there a public PoC exploit available for CVE-2025-7786?

Yes, a public proof-of-concept exploit is available for CVE-2025-7786. Prioritise patching immediately. EPSS: 0.0%.

Gnuboard g6 CVE-2025-7786

Q: What is the CVSS score of CVE-2025-7786?

CVE-2025-7786 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-07-18 cna@vuldb.com

XSS Gnuboard

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:20 vuln.today

DescriptionCVE.org

A vulnerability, which was classified as problematic, has been found in Gnuboard g6 up to 6.0.10. This issue affects some unknown processing of the file /bbs/scrap_popin_update/qa/ of the component Post Reply Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Cross-site scripting (XSS) vulnerability in Gnuboard g6 up to version 6.0.10 allows authenticated remote attackers to inject arbitrary JavaScript into the Post Reply Handler component at /bbs/scrap_popin_update/qa/ path, requiring user interaction for exploitation. The vulnerability has been publicly disclosed with exploit code available; however, the low EPSS score (0.05%, 15th percentile) and CVSS 2.0 rating suggest limited real-world exploitation probability despite public availability of proof-of-concept.

Technical ContextAI

This is a Stored or Reflected Cross-Site Scripting (CWE-79) vulnerability in the Gnuboard g6 forum software, a Korean-language open-source bulletin board system. The vulnerability exists in the Post Reply Handler component that processes requests to /bbs/scrap_popin_update/qa/, likely during manipulation of scrap or note functionality. The affected software is identified by CPE cpe:2.3:a:sir:gnuboard:*:*:*:*:*:*:*:*, indicating all versions up to 6.0.10 from the official Gnuboard project are vulnerable. The root cause is insufficient input sanitization or output encoding when processing user-supplied data in the QA (question/answer or note-taking) feature, allowing script injection.

RemediationAI

Upgrade Gnuboard g6 to a version released after the vulnerability disclosure (patch version not explicitly stated in available data, but GitHub issue #645 indicates fixes are available in the project repository). Users should pull the latest version from the official Gnuboard GitHub repository (https://github.com/gnuboard/g6) and deploy the patch. As a compensating control before patching, restrict access to the /bbs/scrap_popin_update/qa/ endpoint using web application firewall (WAF) rules or reverse proxy configuration to allow only trusted users, or disable the scrap/note feature if not operationally required. Additionally, implement strict Content Security Policy (CSP) headers to mitigate XSS impact: set 'script-src' to 'self' only and avoid 'unsafe-inline' to prevent injected scripts from executing even if input validation fails. Monitor access logs for suspicious requests to /bbs/scrap_popin_update/qa/ with special characters or JavaScript payloads. Note that WAF restrictions will limit legitimate user access to the feature, requiring careful testing before production deployment.

CVE-2025-7786 vulnerability details – vuln.today

Back