CVE-2026-37504

Name of the Vulnerable Software and Affected Versions V2Board versions prior to 1.7.5

Description The server authentication token is accepted via a GET parameter in the app/Http/Controllers/Server/UniProxyController.php file. This causes the token to be exposed in URLs, such as the endpoint "/api/v1/server/UniProxy/user" through the token variable. Consequently, the sensitive information may be recorded in browser history, web server access logs, HTTP Referer headers, and proxy or CDN logs. An attacker with access to these logs can extract the token to impersonate a proxy server node and potentially intercept user traffic.

Recommendations Update to a version later than 1.7.4. As a temporary mitigation, restrict access to the "/api/v1/server/UniProxy/user" endpoint to trusted IP addresses to minimize the risk of token exposure in logs.