Security Advisory

CVE-2026-39912

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-04-09 18:35:35
Last updated 2026-06-23 16:16:26
Assigner VulnCheck
State PUBLISHED

Description

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.