{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39912", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-07T20:57:06.209Z", "datePublished": "2026-04-09T18:35:35.569Z", "dateUpdated": "2026-04-13T15:38:46.529Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-09T18:51:49.345Z"}, "title": "v2board / Xboard Authentication Token Exposure via loginWithMailLink", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-201", "description": "CWE-201 Insertion of Sensitive Information Into Sent Data", "type": "CWE"}]}], "affected": [{"vendor": "v2board", "product": "v2board", "repo": "https://github.com/v2board/v2board", "versions": [{"status": "affected", "version": "1.6.1", "lessThanOrEqual": "1.7.4", "versionType": "semver"}, {"status": "affected", "version": "bdb10bed32c5f37df2f0872c3cb354e9b7a293bd", "lessThanOrEqual": "0ca47622a50116d0ddd7ffb316b157afb57d25e8", "versionType": "git"}], "defaultStatus": "unknown"}, {"vendor": "cedar2025", "product": "Xboard", "repo": "https://github.com/cedar2025/Xboard", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "0.1.9", "versionType": "semver"}, {"status": "unaffected", "version": "121511523f04882ec0c7447acd9b8ebcb8a47957", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.<br>"}]}], "references": [{"url": "https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/v2board/v2board/pull/981", "tags": ["issue-tracking", "mitigation"]}, {"url": "https://github.com/cedar2025/Xboard/pull/873", "tags": ["issue-tracking", "mitigation"]}, {"url": "https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e8/app/Http/Controllers/Passport/AuthController.php#L71", "tags": ["related"]}, {"url": "https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Services/Auth/MailLinkService.php#L49", "tags": ["related"]}, {"url": "https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Http/Controllers/V1/Passport/AuthController.php#L51", "tags": ["related"]}, {"url": "https://github.com/cedar2025/Xboard/commit/121511523f04882ec0c7447acd9b8ebcb8a47957", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillink", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}}], "credits": [{"lang": "en", "value": "Valentin Lobstein (Chocapikk)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T20:16:59.517212Z", "id": "CVE-2026-39912", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:38:46.529Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39912", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-10T20:16:59.517212Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:17:22.820Z"}}], "cna": {"title": "v2board / Xboard Authentication Token Exposure via loginWithMailLink", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Valentin Lobstein (Chocapikk)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/v2board/v2board", "vendor": "v2board", "product": "v2board", "versions": [{"status": "affected", "version": "1.6.1", "versionType": "semver", "lessThanOrEqual": "1.7.4"}, {"status": "affected", "version": "bdb10bed32c5f37df2f0872c3cb354e9b7a293bd", "versionType": "git", "lessThanOrEqual": "0ca47622a50116d0ddd7ffb316b157afb57d25e8"}], "defaultStatus": "unknown"}, {"repo": "https://github.com/cedar2025/Xboard", "vendor": "cedar2025", "product": "Xboard", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1.9"}, {"status": "unaffected", "version": "121511523f04882ec0c7447acd9b8ebcb8a47957", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/v2board/v2board/pull/981", "tags": ["issue-tracking", "mitigation"]}, {"url": "https://github.com/cedar2025/Xboard/pull/873", "tags": ["issue-tracking", "mitigation"]}, {"url": "https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e8/app/Http/Controllers/Passport/AuthController.php#L71", "tags": ["related"]}, {"url": "https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Services/Auth/MailLinkService.php#L49", "tags": ["related"]}, {"url": "https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Http/Controllers/V1/Passport/AuthController.php#L51", "tags": ["related"]}, {"url": "https://github.com/cedar2025/Xboard/commit/121511523f04882ec0c7447acd9b8ebcb8a47957", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillink", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.", "supportingMedia": [{"type": "text/html", "value": "V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201 Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-09T18:51:49.345Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39912", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:38:46.529Z", "dateReserved": "2026-04-07T20:57:06.209Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-09T18:35:35.569Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges."}], "id": "CVE-2026-39912", "lastModified": "2026-04-15T15:00:32.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-09T19:16:25.920", "references": [{"source": "disclosure@vulncheck.com", "url": "https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Http/Controllers/V1/Passport/AuthController.php#L51"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Services/Auth/MailLinkService.php#L49"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/cedar2025/Xboard/commit/121511523f04882ec0c7447acd9b8ebcb8a47957"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/cedar2025/Xboard/pull/873"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e8/app/Http/Controllers/Passport/AuthController.php#L71"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/v2board/v2board/pull/981"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillink"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.1.9]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "121511523f04882ec0c7447acd9b8ebcb8a47957"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Xboard", "source": "cna", "vendor": "cedar2025"}, "product": "xboard", "vendor": "cedar2025"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.1,1.7.4]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bdb10bed32c5f37df2f0872c3cb354e9b7a293bd,0ca47622a50116d0ddd7ffb316b157afb57d25e8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "v2board", "vendor": "v2board"}], "analysis": {"en": {"generated_at": "2026-04-09T21:36:10.719026+00:00", "value": {"mitigation_remediation": ["Upgrade v2board to 1.7.5 or later and Xboard to 0.1.10 or later, where the loginWithMailLink endpoint no longer includes the authentication token in the response.", "If an upgrade is not possible, disable the login_with_mail_link_enable feature in the configuration to prevent tokens from being exposed.", "After disabling or updating, verify that the loginWithMailLink endpoint no longer returns a token or full authentication URL in the HTTP response body."], "summary": {"action": "Immediate Patch", "impact": "Account Takeover"}, "threat_synthesis": {"affected_systems": "Versions of cedar2025 Xboard from 0.1.0 through 0.1.9 and v2board from 1.6.1 through 1.7.4 are affected when the login_with_mail_link_enable feature is enabled.", "description_and_impact": "The loginWithMailLink endpoint returns a full authentication URL that contains an authentication token in the HTTP response body when the login_with_mail_link_enable feature is active. An unauthenticated attacker can submit a known email address to this endpoint and receive a complete login URL. By sending that URL to the token2Login endpoint, the attacker obtains a bearer token that grants full account access, including administrative privileges. The flaw is a direct information\u2011exposure weakness (CWE\u2011201).", "risk_and_exploitability": "The CVSS base score of 9.1 marks the vulnerability as critical. An attacker can exploit it from any network location by simply POSTing a known email address to the loginWithMailLink endpoint; no authentication, special permissions, or code execution are required. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of exposure controls and the ease of obtaining valid tokens make the risk immediate and high."}}}}, "created": "2026-04-10T08:39:19.048796+00:00", "updated": "2026-04-10T09:31:43.324081+00:00", "vendors": ["cedar2025", "cedar2025$PRODUCT$xboard", "v2board", "v2board$PRODUCT$v2board"]}