How to fix EUVD-2026-19392?

Within 24 hours: Inventory all BraveCMS deployments and confirm versions; take internet-facing instances offline or restrict access to CKEditor endpoints. Within 7 days: Upgrade all BraveCMS installations to version 2.0.6 or later per vendor release on GitHub. Within 30 days: Conduct server forensics on all affected systems for evidence of exploitation; rotate all credentials and API keys; review web server logs for suspicious file upload activity to the CKEditor endpoint.

EUVD-2026-19392

| CVE-2026-35047 CRITICAL

2026-04-06 GitHub_M

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 06, 2026 - 17:45 vuln.today

EUVD ID Assigned

Apr 06, 2026 - 17:45 euvd

EUVD-2026-19392

CVE Published

Apr 06, 2026 - 17:25 nvd

CRITICAL 9.3

Description

Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vulnerability in the CKEditor endpoint allows attackers to upload arbitrary files, including executable scripts. This may lead to Remote Code Execution (RCE) on the server, potentially resulting in full system compromise, data exfiltration, or service disruption. All users running affected versions of BraveCMS are impacted. This vulnerability is fixed in 2.0.6.

Analysis

Unrestricted file upload in BraveCMS 2.0 (prior to 2.0.6) enables remote attackers to execute arbitrary code on the server without authentication. The CKEditor endpoint accepts malicious file uploads including executable scripts, leading to full remote code execution with CVSS 9.3 severity. …

Remediation

Within 24 hours: Inventory all BraveCMS deployments and confirm versions; take internet-facing instances offline or restrict access to CKEditor endpoints. Within 7 days: Upgrade all BraveCMS installations to version 2.0.6 or later per vendor release on GitHub. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.4

CVSS: +46

POC: 0

EUVD-2026-19392 vulnerability details – vuln.today

Back

EUVD-2026-19392

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-19392

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code