Skip to main content

Bravecms 2 0 EUVDEUVD-2026-19392

| CVE-2026-35047 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-04-06 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:46 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.6
EUVD ID Assigned
Apr 06, 2026 - 17:45 euvd
EUVD-2026-19392
Analysis Generated
Apr 06, 2026 - 17:45 vuln.today
CVE Published
Apr 06, 2026 - 17:25 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vulnerability in the CKEditor endpoint allows attackers to upload arbitrary files, including executable scripts. This may lead to Remote Code Execution (RCE) on the server, potentially resulting in full system compromise, data exfiltration, or service disruption. All users running affected versions of BraveCMS are impacted. This vulnerability is fixed in 2.0.6.

AnalysisAI

Unrestricted file upload in BraveCMS 2.0 (prior to 2.0.6) enables remote attackers to execute arbitrary code on the server without authentication. The CKEditor endpoint accepts malicious file uploads including executable scripts, leading to full remote code execution with CVSS 9.3 severity. EPSS data unavailable, no confirmed active exploitation (not in CISA KEV), but upstream fix is available via GitHub commit and version 2.0.6 release. Attack complexity is low with network-accessible vector requiring no privileges or user interaction, making this a critical exposure for internet-facing BraveCMS installations.

Technical ContextAI

BraveCMS is an open-source content management system utilizing CKEditor for rich text editing functionality. The vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) stems from insufficient input validation on the CKEditor file upload endpoint, which fails to properly restrict file types and validate uploaded content. The affected product (cpe:2.3:a:ajax30:bravecms-2.0) allows arbitrary files-including server-side scripts (PHP, JSP, or similar depending on server configuration)-to be uploaded and potentially executed in a web-accessible directory. This bypasses standard file type restrictions and MIME type validation, enabling attackers to place web shells or malicious executables on the server filesystem where they can be directly invoked via HTTP requests.

RemediationAI

Upgrade immediately to BraveCMS version 2.0.6, which contains the security fix for this vulnerability. The patch is delivered via commit 058ee4ed7c2b39d540af8274024afcbc9532aa83 and pull request #122 in the upstream repository (https://github.com/Ajax30/BraveCMS-2.0/pull/122). Organizations unable to upgrade immediately should implement network-level restrictions to limit access to the CKEditor upload endpoint to trusted IP ranges only, disable file upload functionality if not operationally required, or deploy web application firewall rules to inspect and block suspicious file upload requests. Review server logs for any unauthorized file uploads that occurred prior to patching, particularly examining web-accessible directories for unexpected executable files. Consult the vendor security advisory at https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-9rcc-w59j-965v for additional mitigation guidance.

Share

EUVD-2026-19392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy