CVE-2026-37503

Published: May 1, 2026

Modified: May 1, 2026

PUBLISHED

CVSS v3.1

6.9

MEDIUM

Description

Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AC:L/AV:N/A:N/C:H/I:L/PR:H/S:C/UI:R

Attack Complexity

Low

Attack Vector

Network

Availability

None

Confidentiality

High

Integrity

Low

Privileges Required

High

Scope

Changed

User Interaction

Required

References

https://github.com/v2board/v2board

https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-37503

Description

Affected Products

CVSS v3.1 Details

References