Login Sign Up

CVE-2026-2947

3.5 LOW
Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in rymcu forest versions up to 0.0.5. Attackers can inject malicious scripts via the updateUserInfo function in the user profile handler, potentially compromising user sessions or stealing sensitive data. All users of affected versions are at risk.

💻 Affected Systems

Products:
  • rymcu forest
Versions: up to and including 0.0.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the User Profile Handler component specifically in the updateUserInfo function.

📦 What is this software?

Forest by Rymcu

View all CVEs affecting Forest →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal user session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to account takeover and data theft.

🟠

Likely Case

Attackers inject malicious JavaScript that executes in victims' browsers, potentially stealing session tokens or displaying phishing content to users.

🟢

If Mitigated

With proper input validation and output encoding, the impact is limited to minor UI disruption or blocked script execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit is publicly available and can be executed remotely, though authentication may be required to access the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a version above 0.0.5 if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement server-side validation of user inputs and encode outputs to prevent script execution.

Implement input validation in src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java

Content Security Policy (CSP)

all

Deploy a strict CSP header to mitigate XSS impact by restricting script sources.

Add Content-Security-Policy header to web server configuration

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) with XSS protection rules
  • Disable or restrict access to the vulnerable updateUserInfo endpoint if not essential

🔍 How to Verify

Check if Vulnerable:

Check if running rymcu forest version 0.0.5 or earlier. Review the UserInfoController.java file for lack of input sanitization in updateUserInfo.

Check Version:

Check application version in configuration files or via application metadata.

Verify Fix Applied:

Test the updateUserInfo endpoint with XSS payloads to ensure they are properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to user update endpoints with script-like payloads
  • Error logs showing script execution attempts

Network Indicators:

  • HTTP requests containing script tags or JavaScript in user profile update parameters

SIEM Query:

Search for POST requests to */api/user/* containing <script> or javascript: patterns

📊 Metadata

CVE ID: CVE-2026-2947
CVSS v3 Score: 3.5 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
Published: February 22, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2947, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)