| Title | kerwincui FastBee ≤ 1.2.1 Improper Neutralization of Alternate XSS Syntax |
|---|
| Description | FastBee contains a stored XSS vulnerability in the system notice feature. The noticeContent field is accepted by the backend and stored in the database without HTML sanitization. When users open the homepage notice detail dialog, the frontend renders the stored notice content through v-html, causing attacker-controlled JavaScript to execute in the victim's browser. |
|---|
| Source | ⚠️ https://fx4tqqfvdw4.feishu.cn/docx/Iu5Dd558UoS4uIxhH9YcgNsWnjc?from=from_copylink |
|---|
| User | xcxr (UID 86629) |
|---|
| Submission | 04/09/2026 04:50 (3 months ago) |
|---|
| Moderation | 05/02/2026 10:35 (23 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 360830 [kerwincui FastBee up to 1.2.1 System Notice SysNoticeController.java add noticeContent cross site scripting] |
|---|
| Points | 18 |
|---|