ZAST Agent has identified 14 vulnerabilities in pybbs (tomoya92/pybbs, 2.9k+ GitHub Stars).
The attack surface includes 8 XSS vectors, CSRF on admin endpoints, and CAPTCHA reuse. Traditional SAST, which focuses on pattern matching, does not analyze logic flaws like email bypass or multi-stage flows (Stored XSS via /api/settings).
Our engine verified every attack path—from payload persistence to triggering admin-level execution—via executable PoCs. This minimizes the triage effort required for these validated findings.
Repo: https://github.com/tomoya92/pybbs
Full Technical Details: https://blog.zast.ai/security%20research/Security-Advisory-7-Unpatched-Vulnerabilities-in-Prime-(CMS)-GraphQL-Implementation/
#AppSec #ZAST #VulnerabilityResearch #Java #XSS