CVE-2026-39912

Name of the Vulnerable Software and Affected Versions V2Board versions 1.6.1 through 1.7.4 and Xboard versions through 0.1.9

Description V2Board and Xboard are affected by an issue where authentication tokens are exposed in the HTTP response bodies of the loginWithMailLink endpoint when the login with mail link enable feature is active. An unauthenticated attacker can send a POST request to the loginWithMailLink endpoint with a known email address and receive a full authentication URL in the response. This URL can then be used to exchange the token at the token2Login endpoint, granting the attacker a valid bearer token with full account access, including administrative privileges.

Recommendations For V2Board versions 1.6.1 through 1.7.4, disable the login with mail link enable feature. For Xboard versions through 0.1.9, disable the login with mail link enable feature.