Skip to main content

V2Board CVE-2026-39912

| EUVDEUVD-2026-21043 CRITICAL
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-04-09 VulnCheck GHSA-83h9-46h8-whf4
9.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
PoC Detected
Apr 09, 2026 - 19:16 vuln.today
Public exploit code
EUVD ID Assigned
Apr 09, 2026 - 19:15 euvd
EUVD-2026-21043
Analysis Generated
Apr 09, 2026 - 19:15 vuln.today
Patch released
Apr 09, 2026 - 19:15 nvd
Patch available
CVE Published
Apr 09, 2026 - 18:35 nvd
CRITICAL 9.1

DescriptionCVE.org

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.

AnalysisAI

Authentication bypass in V2Board 1.6.1-1.7.4 and Xboard ≤0.1.9 enables unauthenticated account takeover including admin privileges. When login_with_mail_link_enable is active, attackers POST known email addresses to the loginWithMailLink endpoint, receiving full authentication URLs in HTTP responses. Tokens extracted from these URLs are exchanged at token2Login for valid bearer tokens granting complete account access. Publicly available exploit code exists. CVSS 9.1 critical severity reflects network-accessible attack with no user interaction required.

Technical ContextAI

CWE-201 information exposure via authentication token leakage in response bodies. AuthController.php and MailLinkService.php return sensitive tokens directly in loginWithMailLink responses instead of transmitting via secure email channels. PR:N confirms unauthenticated exploitation; attackers enumerate valid emails and extract tokens from JSON responses without SMTP interception.

RemediationAI

Vendor-released patches: Upgrade V2Board to version addressing GitHub PR #981 or apply commit fixes from upstream repository. Upgrade Xboard to commit 121511523f04882ec0c7447acd9b8ebcb8a47957 or later patched release incorporating PR #873. If immediate upgrade is impossible, disable login_with_mail_link_enable feature in application configuration to eliminate the attack vector. Rotate all existing authentication tokens and audit access logs for unauthorized sessions created via loginWithMailLink or token2Login endpoints. Review VulnCheck advisory for additional mitigation guidance: https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillink. Validate patch deployment by confirming tokens no longer appear in loginWithMailLink HTTP responses.

Share

CVE-2026-39912 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy