CVE-2026-37503

MEDIUM

v2board < 1.7.4 - Stored Cross-Site Scripting via Theme Configuration Custom HTML Field

Title source: llm

Description

Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.

References (2)

Core 2

Core References

https://github.com/v2board/v2board

https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9

Scores

CVSS v3 6.9

EPSS 0.0019

EPSS Percentile 8.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

v2board/v2board < 1.7.4

Published May 01, 2026

Tracked Since May 01, 2026