Vulnerability Details CVE-2026-37503
Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 9.6%
CVSS Severity
CVSS v3 Score 6.9
References
Products affected by CVE-2026-37503
-
cpe:2.3:a:v2board:v2board:0.1.0
-
cpe:2.3:a:v2board:v2board:1.0.0
-
cpe:2.3:a:v2board:v2board:1.0.1
-
cpe:2.3:a:v2board:v2board:1.0.2
-
cpe:2.3:a:v2board:v2board:1.0.3
-
cpe:2.3:a:v2board:v2board:1.1
-
cpe:2.3:a:v2board:v2board:1.1.1
-
cpe:2.3:a:v2board:v2board:1.1.2
-
cpe:2.3:a:v2board:v2board:1.2
-
cpe:2.3:a:v2board:v2board:1.2.1
-
cpe:2.3:a:v2board:v2board:1.2.2
-
cpe:2.3:a:v2board:v2board:1.2.3
-
cpe:2.3:a:v2board:v2board:1.2.4
-
cpe:2.3:a:v2board:v2board:1.2.5
-
cpe:2.3:a:v2board:v2board:1.3
-
cpe:2.3:a:v2board:v2board:1.3.1
-
cpe:2.3:a:v2board:v2board:1.3.2
-
cpe:2.3:a:v2board:v2board:1.4
-
cpe:2.3:a:v2board:v2board:1.4.1
-
cpe:2.3:a:v2board:v2board:1.4.2
-
cpe:2.3:a:v2board:v2board:1.4.3
-
cpe:2.3:a:v2board:v2board:1.5.0
-
cpe:2.3:a:v2board:v2board:1.5.1
-
cpe:2.3:a:v2board:v2board:1.5.2
-
cpe:2.3:a:v2board:v2board:1.5.3
-
cpe:2.3:a:v2board:v2board:1.5.4
-
cpe:2.3:a:v2board:v2board:1.5.5
-
cpe:2.3:a:v2board:v2board:1.6.0
-
cpe:2.3:a:v2board:v2board:1.6.1
-
cpe:2.3:a:v2board:v2board:1.7.0
-
cpe:2.3:a:v2board:v2board:1.7.1
-
cpe:2.3:a:v2board:v2board:1.7.2
-
cpe:2.3:a:v2board:v2board:1.7.3
-
cpe:2.3:a:v2board:v2board:1.7.4