CVE-2026-37505

Name of the Vulnerable Software and Affected Versions V2Board versions prior to 1.7.5

Description An issue exists where the sort parameter from user input is passed directly to the User::orderBy() function in the 'app/Http/Controllers/Admin/UserController.php' file without proper validation. This allows an authenticated administrator to perform SQL Injection via the ORDER BY clause, enabling them to sort users by any database column, including sensitive fields such as password and remember token, which leads to information disclosure through ordering analysis.

Recommendations Update to a version later than 1.7.4. As a temporary workaround, restrict access to the administrative user management functions in 'app/Http/Controllers/Admin/UserController.php' to minimize the risk of exploitation.