Medium severity6.9NVD Advisory· Published May 1, 2026· Updated May 11, 2026
CVE-2026-37503
CVE-2026-37503
Description
Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1- gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9nvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.