Skip to main content

Brave CMS CVE-2026-41524

| EUVDEUVD-2026-28648 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-08 security-advisories@github.com
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
May 08, 2026 - 16:18 EUVD
Source Code Evidence Fetched
May 08, 2026 - 16:15 vuln.today
Analysis Generated
May 08, 2026 - 16:15 vuln.today
CVE Published
May 08, 2026 - 15:16 nvd
HIGH 8.7

DescriptionGitHub Advisory

Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603.

AnalysisAI

Stored cross-site scripting (XSS) in Brave CMS 2.0 allows authenticated users with editor privileges to inject malicious JavaScript through the CKEditor rich-text interface, achieving persistent code execution in all visitors' browsers. The vulnerability stems from Laravel Blade's unescaped output directive {!! !!} rendering user-supplied content without sanitization. Patched via commit 6c56603 which implements HtmlSanitizer to allowlist safe HTML tags and strip dangerous attributes before database storage.

Technical ContextAI

Brave CMS 2.0 is a Laravel-based content management system using CKEditor for rich-text editing. The vulnerability exists in the article and page controllers (app/Http/Controllers/Dashboard/ArticleController.php and PageController.php) where user-supplied content is stored directly to the database without sanitization, then rendered using Laravel Blade's {!! !!} unescaped output directive. This CWE-79 stored XSS flaw allows arbitrary HTML/JavaScript persistence. The patch introduces app/Support/HtmlSanitizer.php which implements a DOM-based allowlist approach, permitting only specific HTML tags (p, br, b, strong, i, em, u, a, ul, ol, li, img, h1-h6, blockquote, code, pre) and attributes (href/title for anchors, src/alt/title for images), removing all other elements including script tags and event handlers.

RemediationAI

Update Brave CMS 2.0 to commit 6c5660373cf5f0ca9181603280427aca46ef11ea or later from https://github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11ea. The patch implements app/Support/HtmlSanitizer::clean() in ArticleController and PageController to sanitize rich-text content before database storage, allowlisting safe HTML tags and stripping script tags, event handlers, and dangerous attributes. If immediate patching is not feasible, restrict editor-role access to highly trusted users only and audit existing article/page content for suspicious JavaScript (search database for <script>, onerror=, onclick=, and similar patterns). Note that restricting CKEditor features client-side provides no protection as the vulnerability exists in server-side output handling. Content Security Policy (CSP) with script-src 'self' can reduce exploit impact but does not prevent storage of malicious payloads or attacks against non-CSP-protected browsers.

Share

CVE-2026-41524 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy