CVE-2026-37503

Name of the Vulnerable Software and Affected Versions V2Board versions prior to 1.7.5

Description Cross-Site Scripting (XSS) occurs when the custom html field in the theme configuration is rendered using unescaped Blade output in the 'public/theme/v2board/dashboard.blade.php' file. An administrator can inject arbitrary JavaScript through the 'saveThemeConfig' API endpoint. This allows the execution of payloads for all site visitors, which can lead to session hijacking, cookie theft, or phishing.

Recommendations Update to a version later than 1.7.4. As a temporary workaround, restrict access to the 'saveThemeConfig' API endpoint or avoid using the custom html field in the theme configuration.