CVE-2026-39912

216.73.217.22

· Published 09/04/2026 19:16 · Modified 09/04/2026 19:16

Labels: CVE-2026-39912 2026-04-09 CVE-2026-39912 CWE-201 [email protected]

Essential information

Published: 09/04/2026 19:16
Modified: 09/04/2026 19:16
Author: —
Creator: —
CVSS: 9.1 CRITICAL (v3) 9.1 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
v2board / v2board	`cpe:2.3:a:v2board:v2board:1.6.1-1.7.4:::::::*`
xboard / xboard	`cpe:2.3:a:xboard:xboard:0.1.9:::::::*`