Ghostwire

CVE-2026-37503: Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade...

MEDIUM CVSS 5.5 EPSS 0.03%

Published: May 1, 2026 | Last Modified: May 1, 2026

Description

Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.

Ghostwire Analysis — What This Means Practically

Exploitation Probability (EPSS): Low — 0.03% (9th percentile)

Low exploitation probability based on current threat landscape data. Standard patching timeline is appropriate.

Medium CVSS score indicates moderate risk — exploitation requires specific conditions or results in limited impact.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

CVE-2026-37503: Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade...

Description

Ghostwire Analysis — What This Means Practically

Security Coverage (2 articles)

References