What is the CVSS score of CVE-2026-35164?

CVE-2026-35164 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of PHP are affected by CVE-2026-35164?

Brave CMS versions before 2.0.6 contain a remote code execution vulnerability in the file upload handler that allows low-privilege authenticated users to execute arbitrary code on affected servers.. A patch is available.

How to fix or mitigate CVE-2026-35164?

Within 24 hours: Identify all Brave CMS deployments and document current versions. Within 7 days: Apply vendor patch to upgrade Brave CMS to version 2.0.6 or later on all affected instances. Within 30 days: Conduct access review of low-privilege user accounts with upload permissions and implement principle of least privilege restrictions on file upload functionality.

PHP CVE-2026-35164

EUVD-2026-19412 HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-04-06 security-advisories@github.com

PHP RCE File Upload

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:06 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2.0.6

EUVD ID Assigned

Apr 06, 2026 - 18:22 euvd

EUVD-2026-19412

Analysis Generated

Apr 06, 2026 - 18:22 vuln.today

CVE Published

Apr 06, 2026 - 18:16 nvd

HIGH 8.8

DescriptionNVD

Brave CMS is an open-source CMS. Prior to 2.0.6, an unrestricted file upload vulnerability exists in the CKEditor upload functionality. It is found in app/Http/Controllers/Dashboard/CkEditorController.php within the ckupload method. The method fails to validate uploaded file types and relies entirely on user input. This allows an authenticated user to upload executable PHP scripts and gain Remote Code Execution. This vulnerability is fixed in 2.0.6.

AnalysisAI

Remote code execution in Brave CMS versions prior to 2.0.6 allows authenticated users to upload and execute arbitrary PHP scripts through the CKEditor upload functionality. The vulnerability stems from unrestricted file upload in the ckupload method of CkEditorController.php, which fails to validate uploaded file types. …

RemediationAI

Within 24 hours: Identify all Brave CMS deployments and document current versions. Within 7 days: Apply vendor patch to upgrade Brave CMS to version 2.0.6 or later on all affected instances. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35164 vulnerability details – vuln.today

Back

PHP CVE-2026-35164

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code