# V2Board ≤ 1.7.4 Multiple Vulnerabilities Summary ## Vulnerability Overview V2Board is a deprecated project (unmaintained since 2023). Multiple security vulnerabilities were identified in versions ≤ 1.7.4, including stored XSS, sensitive information leakage, and SQL injection. ## Affected Scope - **Affected Versions**: V2Board ≤ 1.7.4 (all versions) - **Project Status**: Deprecated (unmaintained since 2023) ## Vulnerability Details and Remediation ### 1. CVE-2026-37503: Stored XSS via `custom_html` - **Type**: Stored XSS - **CWE**: CWE-79 - **Location**: Theme configuration `custom_html` field - **Description**: When rendering the theme configuration, the `custom_html` field is not escaped in the Blade template (`{!! $theme_config['custom_html'] !!}`). - **Remediation**: - Use `{{ }}` for escaped output; or - Apply filtering equivalent to `wp_kses` before storage. ### 2. CVE-2026-37504: `server_token` Exposure via GET - **Type**: Sensitive Token Exposure - **CWE**: CWE-598 - **Location**: `app/Http/Controllers/Server/UniverseController.php` - **Description**: The `server_token` is passed as a URL query parameter. - **Remediation**: - Move token acceptance to request headers or POST body; query parameters are unsuitable for transmitting sensitive tokens. ### 3. CVE-2026-37505: SQL Injection via `ORDER BY` - **Type**: SQL Injection - **CWE**: CWE-89 - **Location**: `app/Http/Controllers/Admin/UserController.php` - **Description**: User-supplied column names are concatenated when constructing the `ORDER BY` clause. - **Remediation**: - Validate that the column name exists in a hardcoded whitelist; - Direction values (ASC/DESC) should also be filtered. --- > Reporter: Feng Ning, Innora Security Research > Disclosure Date: 2026-04-30 > Source: https://innora.ai