CVE-2026-37503

MEDIUM

V2Board thru 1.7.4 - XSS

Title source: llm

Description

Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.

References (2)

Core 2

Core References

https://github.com/v2board/v2board

https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9

Scores

CVSS v3 6.9

EPSS 0.0003

EPSS Percentile 8.5%

CVSS:3.1/AC:L/AV:N/A:N/C:H/I:L/PR:H/S:C/UI:R

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

Status published

Published May 01, 2026

Tracked Since May 01, 2026