CVE-2026-39912

Source
https://cve.org/CVERecord?id=CVE-2026-39912
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39912.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39912
Published
2026-04-09T18:35:35.569Z
Modified
2026-07-15T01:49:11.465728015Z
Severity
  • 9.1 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
v2board / Xboard Authentication Token Exposure via loginWithMailLink
Details

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the loginwithmaillinkenable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.

Database specific
{
    "cna_assigner": "VulnCheck",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39912.json",
    "cwe_ids": [
        "CWE-201"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "bdb10bed32c5f37df2f0872c3cb354e9b7a293bd"
                },
                {
                    "last_affected": "0ca47622a50116d0ddd7ffb316b157afb57d25e8"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/cedar2025/xboard

Affected ranges

Type
GIT
Repo
https://github.com/cedar2025/xboard
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.1.9"
        }
    ]
}
Type
GIT
Repo
https://github.com/v2board/v2board
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "1.6.1"
        },
        {
            "last_affected": "1.7.4"
        },
        {
            "fixed": "1.7.4"
        }
    ]
}

Affected versions

1.*
1.6.1
1.7.0
1.7.1
1.7.2
1.7.3
v0.*
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39912.json"