{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35164", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.132Z", "datePublished": "2026-04-06T17:33:33.715Z", "dateUpdated": "2026-04-06T17:33:33.715Z"}, "containers": {"cna": {"title": "Brave CMS Sffected by Unrestricted File Upload via CKEditor Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-2j4q-6p52-4rhw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-2j4q-6p52-4rhw"}], "affected": [{"vendor": "Ajax30", "product": "BraveCMS-2.0", "versions": [{"version": "< 2.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:33:33.715Z"}, "descriptions": [{"lang": "en", "value": "Brave CMS is an open-source CMS. Prior to 2.0.6, an unrestricted file upload vulnerability exists in the CKEditor upload functionality. It is found in app/Http/Controllers/Dashboard/CkEditorController.php within the ckupload method. The method fails to validate uploaded file types and relies entirely on user input. This allows an authenticated user to upload executable PHP scripts and gain Remote Code Execution. This vulnerability is fixed in 2.0.6."}], "source": {"advisory": "GHSA-2j4q-6p52-4rhw", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Brave CMS is an open-source CMS. Prior to 2.0.6, an unrestricted file upload vulnerability exists in the CKEditor upload functionality. It is found in app/Http/Controllers/Dashboard/CkEditorController.php within the ckupload method. The method fails to validate uploaded file types and relies entirely on user input. This allows an authenticated user to upload executable PHP scripts and gain Remote Code Execution. This vulnerability is fixed in 2.0.6."}], "id": "CVE-2026-35164", "lastModified": "2026-04-06T18:16:42.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T18:16:42.900", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-2j4q-6p52-4rhw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-06T21:37:06.914530+00:00", "value": {"mitigation_remediation": ["Upgrade BraveCMS to version 2.0.6 or later to apply the vendor\u2019s fix.", "Verify that your production environment is not running a vulnerable version by checking the CMS version string or the installed package metadata.", "If upgrading immediately is not feasible, restrict CKEditor file uploads server\u2011side to image types or remove the upload endpoint entirely until the patch can be applied.", "Continuously monitor web server logs for attempts to upload files to the CKEditor endpoint and block suspicious IP addresses."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "It affects Ajax30's BraveCMS 2.0 through 2.0.5 inclusive. Any instance running a version prior to 2.0.6 that has CKEditor enabled is vulnerable. The flaw requires the attacker to be logged in with credentials that grant access to the editor.", "description_and_impact": "The vulnerability permits an authenticated user to upload files via the CKEditor endpoint without any type validation. Because the upload handler accepts any file type, an attacker can upload and execute arbitrary PHP scripts on the web server, giving them full control of the compromised system. This remote code execution can lead to data theft, site defacement or further lateral movement within the network.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity of the issue. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. Attackers would need valid CMS credentials to use the upload path, but once authenticated the attacker can execute PHP code, making this a critical threat that demands urgent attention."}}}}, "created": "2026-04-06T21:47:06.252647+00:00", "updated": "2026-04-06T21:47:06.252680+00:00", "vendors": []}