How to Fix CVE-2026-37504: n/a (Bundle Sibling)

By Sai Kiran Pandrala

Last verified: 2026-05-25

CVE-2026-37504 is a sibling vulnerability in the same vendor advisory as CVE-2026-37503. Applying the patched build named in the primary write-up closes this CVE as well.

What's different about CVE-2026-37504?

Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyController.php, the server authentication token is accepted via GET parameter transmission. The token appears in URLs such as /api/v1/server/UniProxy/user?token=SECRET, causing it to be recorded in web server access logs, browser history, HTTP Referer headers, and proxy/CDN logs. An attacker who gains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic.

The technical impact and remediation are identical to the primary CVE in the bundle. The same vendor patch closes both.

How to fix CVE-2026-37504

Apply the patched build per the primary write-up: How to Fix CVE-2026-37503.

The patch installation procedure, verification commands, and interim mitigations are documented there. Reusing one runbook keeps the rollout consistent across the bundle.

Frequently asked questions

Is CVE-2026-37504 fixed by the same patch as CVE-2026-37503?

Yes. CVE-2026-37504 ships in the same vendor advisory as CVE-2026-37503. Applying the patched build named in the primary write-up closes both.

What is the CVSS score for CVE-2026-37504?

The CVSS base score is 5.3 (Medium).

Is it being exploited?

It is not currently listed in CISA KEV.

References

• Official vendor advisory: https://github.com/v2board/v2board
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-37504
• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Primary write-up: How to Fix CVE-2026-37503

*Part of the n/a bundle. Full procedure at CVE-2026-37503.*