This vulnerability is a stored Cross-Site Scripting (XSS) issue in V2Board up to version 1.7.4. The root cause is unescaped output of the custom_html field in the theme configuration within a Blade template file. Because the field is rendered directly, an admin user can inject malicious JavaScript code via the saveThemeConfig API. When other users visit the affected dashboard page, the injected script executes in their browsers, potentially allowing theft of cookies, session hijacking, or phishing. The vulnerability requires high privileges (admin) to inject the payload and user interaction to trigger the script execution. The CVSS vector indicates network attack complexity is low, no privileges required to be attacked remotely, but in this case, the attack requires admin privileges and user interaction. There is no vendor advisory or patch information available at this time.

Successful exploitation allows an attacker with administrator access to inject JavaScript that executes in the browsers of all site visitors. This can lead to theft of authentication cookies, session hijacking, or phishing attacks targeting users of the V2Board instance. The vulnerability affects confidentiality and integrity of user sessions. No known exploits in the wild have been reported. The attack requires an attacker to have admin privileges and relies on users visiting the affected page to trigger the payload.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict administrator access to trusted personnel only and monitor for suspicious activity. Avoid using untrusted input in the custom_html field or disable custom HTML rendering if possible. Implement Content Security Policy (CSP) headers to reduce impact of injected scripts. Review and sanitize inputs in theme configuration if feasible.