Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603.
AnalysisAI
Stored cross-site scripting (XSS) in Brave CMS 2.0 allows authenticated users with editor privileges to inject malicious JavaScript through the CKEditor rich-text interface, achieving persistent code execution in all visitors' browsers. The vulnerability stems from Laravel Blade's unescaped output directive {!! !!} rendering user-supplied content without sanitization. Patched via commit 6c56603 which implements HtmlSanitizer to allowlist safe HTML tags and strip dangerous attributes before database storage.
Technical ContextAI
Brave CMS 2.0 is a Laravel-based content management system using CKEditor for rich-text editing. The vulnerability exists in the article and page controllers (app/Http/Controllers/Dashboard/ArticleController.php and PageController.php) where user-supplied content is stored directly to the database without sanitization, then rendered using Laravel Blade's {!! !!} unescaped output directive. This CWE-79 stored XSS flaw allows arbitrary HTML/JavaScript persistence. The patch introduces app/Support/HtmlSanitizer.php which implements a DOM-based allowlist approach, permitting only specific HTML tags (p, br, b, strong, i, em, u, a, ul, ol, li, img, h1-h6, blockquote, code, pre) and attributes (href/title for anchors, src/alt/title for images), removing all other elements including script tags and event handlers.
RemediationAI
Update Brave CMS 2.0 to commit 6c5660373cf5f0ca9181603280427aca46ef11ea or later from https://github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11ea. The patch implements app/Support/HtmlSanitizer::clean() in ArticleController and PageController to sanitize rich-text content before database storage, allowlisting safe HTML tags and stripping script tags, event handlers, and dangerous attributes. If immediate patching is not feasible, restrict editor-role access to highly trusted users only and audit existing article/page content for suspicious JavaScript (search database for <script>, onerror=, onclick=, and similar patterns). Note that restricting CKEditor features client-side provides no protection as the vulnerability exists in server-side output handling. Content Security Policy (CSP) with script-src 'self' can reduce exploit impact but does not prevent storage of malicious payloads or attacks against non-CSP-protected browsers.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28648