Which versions of Brave CMS are affected by CVE-2026-35047?

BraveCMS versions prior to 2.0.6 contain an unauthenticated remote code execution vulnerability in file upload functionality that allows attackers to execute arbitrary commands on affected servers…. A patch is available.

Brave CMS CVE-2026-35047

Q: What is the CVSS score of CVE-2026-35047?

CVE-2026-35047 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2026-19392 CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-04-06 GitHub_M

RCE File Upload

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:46 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2.0.6

EUVD ID Assigned

Apr 06, 2026 - 17:45 euvd

EUVD-2026-19392

Analysis Generated

Apr 06, 2026 - 17:45 vuln.today

CVE Published

Apr 06, 2026 - 17:25 nvd

CRITICAL 9.3

DescriptionNVD

Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vulnerability in the CKEditor endpoint allows attackers to upload arbitrary files, including executable scripts. This may lead to Remote Code Execution (RCE) on the server, potentially resulting in full system compromise, data exfiltration, or service disruption. All users running affected versions of BraveCMS are impacted. This vulnerability is fixed in 2.0.6.

AnalysisAI

Unrestricted file upload in BraveCMS 2.0 (prior to 2.0.6) enables remote attackers to execute arbitrary code on the server without authentication. The CKEditor endpoint accepts malicious file uploads including executable scripts, leading to full remote code execution with CVSS 9.3 severity. …

RemediationAI

Within 24 hours: identify all BraveCMS 2.0.x installations and document current versions. Within 7 days: upgrade all affected instances to BraveCMS 2.0.6 or later, and review CKEditor endpoint access logs for suspicious file uploads. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35047 vulnerability details – vuln.today

Back

Brave CMS CVE-2026-35047

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Brave CMS CVE-2026-35047

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code