CVE-2026-7677 Overview
CVE-2026-7677 is a stored cross-site scripting (XSS) vulnerability [CWE-79] in kerwincui FastBee through version 1.2.1. The flaw resides in the Add function of springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNoticeController.java, part of the System Notice Handler component. Attackers can inject malicious script payloads through the noticeContent parameter, which the application stores and later renders without proper sanitization. The exploit has been publicly disclosed. The vendor was contacted prior to disclosure but did not respond.
Critical Impact
Authenticated remote attackers can inject persistent JavaScript payloads into system notices, executing arbitrary script in the browsers of administrators and users who view the affected notice.
Affected Products
- kerwincui FastBee versions up to and including 1.2.1
- FastBee Admin module (fastbee-admin)
- System Notice Handler component (SysNoticeController.java)
Discovery Timeline
- 2026-05-03 - CVE-2026-7677 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7677
Vulnerability Analysis
The vulnerability is a stored XSS issue in the FastBee IoT platform's administrative notice subsystem. The Add method in SysNoticeController.java accepts user-supplied content via the noticeContent argument and persists it without applying output encoding or HTML sanitization. When other authenticated users access the notice list or detail view, the browser parses the stored payload as active script content.
The attack requires low-privilege authenticated access and limited user interaction, since a victim must view the notice for the payload to execute. The impact is constrained to integrity within the application context, which is reflected in the low CVSS rating. However, in administrative interfaces, even low-impact XSS can enable session hijacking, CSRF chaining, or pivot attacks against operators of connected IoT devices.
Root Cause
The root cause is missing input validation and output encoding on the noticeContent field within the System Notice Handler. The controller forwards untrusted input directly into persistent storage, and the front-end renders the value into the DOM without escaping HTML entities or stripping script tags.
Attack Vector
An authenticated attacker submits a crafted POST request to the notice creation endpoint with a script payload embedded in the noticeContent field. The server stores the payload verbatim. Each subsequent user who loads the notice triggers script execution in their browser session. The attack is reachable over the network and does not require local access. The vulnerability affects only stored data integrity, not server-side confidentiality or availability.
A proof of concept has been publicly disclosed through VulDB submission #800724 and a Feishu document referenced in VulDB. See the VulDB CTI entry for #360830 for additional technical context.
Detection Methods for CVE-2026-7677
Indicators of Compromise
- HTTP POST requests to the FastBee notice creation endpoint containing <script>, onerror=, onload=, or javascript: substrings within the noticeContent parameter.
- Database rows in the sys_notice table where notice_content contains HTML tags or JavaScript event handler attributes.
- Unusual outbound requests from administrator browsers to attacker-controlled domains shortly after viewing system notices.
Detection Strategies
- Inspect application access logs for requests to the notice Add controller with payloads matching common XSS patterns.
- Apply web application firewall (WAF) rules that flag script tags and event handlers submitted to FastBee admin endpoints.
- Audit existing notice records for stored HTML or script content that should not appear in plain-text notices.
Monitoring Recommendations
- Enable verbose logging on the FastBee admin module and forward logs to a centralized SIEM for correlation.
- Alert on administrator account activity that creates notices followed by anomalous browser-originated outbound traffic.
- Track failed Content Security Policy (CSP) violations reported by browsers accessing the FastBee admin interface.
How to Mitigate CVE-2026-7677
Immediate Actions Required
- Restrict access to the FastBee admin interface to trusted networks and authenticated administrators only.
- Audit and remove any system notices containing HTML tags, script content, or suspicious event handler attributes.
- Rotate session tokens and credentials for any administrators who may have viewed attacker-supplied notices.
Patch Information
No official vendor patch has been published. According to the disclosure, the vendor was contacted but did not respond. Operators should monitor the kerwincui FastBee project for upstream fixes and apply server-side input sanitization in the interim.
Workarounds
- Implement a reverse proxy or WAF rule that strips or rejects HTML tags in requests to the notice creation endpoint.
- Apply server-side output encoding by modifying the SysNoticeControllerAdd method to HTML-escape noticeContent before persistence.
- Deploy a strict Content Security Policy on the FastBee admin interface to block inline script execution.
- Limit notice creation privileges to a minimal set of trusted accounts until a vendor fix is available.
# Example nginx rule blocking script payloads to the notice endpoint
location /system/notice {
if ($request_body ~* "(<script|onerror=|onload=|javascript:)") {
return 403;
}
proxy_pass http://fastbee_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
