V2Board

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-39912 CRITICAL POC PATCH Act Now

Authentication bypass in V2Board 1.6.1-1.7.4 and Xboard ≤0.1.9 enables unauthenticated account takeover including admin privileges. When login_with_mail_link_enable is active, attackers POST known email addresses to the loginWithMailLink endpoint, receiving full authentication URLs in HTTP responses. Tokens extracted from these URLs are exchanged at token2Login for valid bearer tokens granting complete account access. Publicly available exploit code exists. CVSS 9.1 critical severity reflects network-accessible attack with no user interaction required.

Information Disclosure Microsoft V2Board Xboard
NVD GitHub
CVSS 4.0
9.1
EPSS
0.1%
CVE-2026-39912
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Authentication bypass in V2Board 1.6.1-1.7.4 and Xboard ≤0.1.9 enables unauthenticated account takeover including admin privileges. When login_with_mail_link_enable is active, attackers POST known email addresses to the loginWithMailLink endpoint, receiving full authentication URLs in HTTP responses. Tokens extracted from these URLs are exchanged at token2Login for valid bearer tokens granting complete account access. Publicly available exploit code exists. CVSS 9.1 critical severity reflects network-accessible attack with no user interaction required.

Information Disclosure Microsoft V2Board +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy