CVE-2026-37503

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.9 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N                                    

Vulnerability Description

Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.

Vulnerability Details

Published Date

May 01, 2026

Last Modified

May 01, 2026

Source

NVD

External References

https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9
https://github.com/v2board/v2board

CVE-2026-37503

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment