EUVD-2026-19460CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
3Tags
Description
Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL but does not verify ownership. This allows an authenticated user with edit permissions to delete images attached to articles owned by other users. This vulnerability is fixed in 2.0.6.
Analysis
Authenticated users in Brave CMS can delete arbitrary article images belonging to other users via an Insecure Direct Object Reference (IDOR) flaw in versions prior to 2.0.6. The deleteImage method in ArticleController.php accepts filenames without verifying ownership, allowing any authenticated user with edit permissions to delete images from articles they don't own. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Brave CMS deployments and identify installed versions. Within 7 days: Restrict edit permissions to only essential personnel and disable article editing for non-administrators pending patch availability; implement access logging for the ArticleController deleteImage method. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today