Skip to main content

V2Board CVE-2026-37503

| EUVD-2026-26667 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-01 mitre
PHP XSS
6.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 16:00 vuln.today
EUVD ID Assigned
May 01, 2026 - 15:45 euvd
EUVD-2026-26667
Analysis Generated
May 01, 2026 - 15:45 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
MEDIUM 6.9

DescriptionNVD

Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.

AnalysisAI

Stored cross-site scripting in V2Board through version 1.7.4 allows authenticated administrators to inject arbitrary JavaScript into the custom_html theme configuration field via the saveThemeConfig API, which is rendered unescaped in the dashboard.blade.php template and executed in the browsers of all site visitors, enabling cookie theft, session hijacking, and phishing attacks.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-37503 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy