{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/brave-cms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35182"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-35182","privilege-escalation","web-application","brave-cms"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBrave CMS, an open-source content management system, is susceptible to a critical vulnerability (CVE-2026-35182) affecting versions prior to 2.0.6. The vulnerability stems from a missing authorization check in the \u003ccode\u003e/rights/update-role/{id}\u003c/code\u003e endpoint, specifically within the \u003ccode\u003eroutes/web.php\u003c/code\u003e file. The absence of the \u003ccode\u003echeckUserPermissions:assign-user-roles\u003c/code\u003e middleware on the POST route allows any authenticated user, regardless of their current role, to modify account roles. This enables malicious actors or internal users to elevate their privileges to Super Admin, granting them complete control over the CMS. This vulnerability poses a significant risk to organizations utilizing affected versions of Brave CMS, potentially leading to data breaches, system compromise, and unauthorized modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Brave CMS instance with a valid, low-privilege user account (e.g., via compromised credentials or legitimate registration).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the vulnerable endpoint \u003ccode\u003e/rights/update-role/{id}\u003c/code\u003e within the \u003ccode\u003eroutes/web.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003e/rights/update-role/{id}\u003c/code\u003e, where \u003ccode\u003e{id}\u003c/code\u003e is the user ID of the target account (e.g., their own or another user). The request body includes data to modify the target user\u0026rsquo;s role to \u0026lsquo;Super Admin\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe Brave CMS application, lacking the \u003ccode\u003echeckUserPermissions:assign-user-roles\u003c/code\u003e middleware, processes the request without properly validating the attacker\u0026rsquo;s authorization to modify user roles.\u003c/li\u003e\n\u003cli\u003eThe target user\u0026rsquo;s role is updated to \u0026lsquo;Super Admin\u0026rsquo; in the CMS database.\u003c/li\u003e\n\u003cli\u003eThe attacker, now possessing Super Admin privileges, can access all administrative functions within the Brave CMS.\u003c/li\u003e\n\u003cli\u003eThe attacker can modify website content, install malicious plugins, create new admin accounts, and potentially gain access to the underlying server.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full control of the Brave CMS instance, leading to potential data exfiltration, defacement, or denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35182 can lead to complete compromise of the Brave CMS instance. An attacker gaining Super Admin privileges can modify or delete website content, inject malicious code, access sensitive data, and potentially pivot to other systems on the network. The impact can range from website defacement and data breaches to complete loss of control over the CMS and associated infrastructure. There is no information regarding how many victims are affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Brave CMS to version 2.0.6 or later to patch CVE-2026-35182.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Brave CMS Unauthorized Role Update\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/rights/update-role/\u003c/code\u003e endpoint lacking proper authorization headers or originating from unusual IP addresses.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions within Brave CMS to identify and remediate any unauthorized privilege escalations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T20:16:26Z","date_published":"2026-04-06T20:16:26Z","id":"/briefs/2026-04-brave-cms-privesc/","summary":"Brave CMS versions prior to 2.0.6 are vulnerable to privilege escalation due to a missing authorization check in the update role endpoint, allowing any authenticated user to gain Super Admin privileges.","title":"Brave CMS Missing Authorization Leads to Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-04-brave-cms-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-35183"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["idor","brave-cms","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBrave CMS, an open-source content management system, is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability in versions prior to 2.0.6. The vulnerability resides within the \u003ccode\u003edeleteImage\u003c/code\u003e method in \u003ccode\u003eapp/Http/Controllers/Dashboard/ArticleController.php\u003c/code\u003e. This flaw allows an authenticated user with edit permissions, regardless of article ownership, to delete images associated with other users\u0026rsquo; articles. The root cause is the lack of proper ownership validation when processing image deletion requests. An attacker can exploit this vulnerability by crafting requests with the filenames of images belonging to other users\u0026rsquo; articles, leading to unauthorized image deletion and potential data integrity issues. This issue was resolved in version 2.0.6 of Brave CMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Brave CMS application with an account that has edit permissions.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the filename of an image attached to an article that they do not own. This can be achieved through inspecting the HTML source code of the article page or by querying the database directly (if accessible).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the \u003ccode\u003edeleteImage\u003c/code\u003e endpoint (\u003ccode\u003eapp/Http/Controllers/Dashboard/ArticleController.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious request includes the filename of the target image in the URL parameters.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edeleteImage\u003c/code\u003e method processes the request without verifying if the authenticated user owns the article to which the image is attached.\u003c/li\u003e\n\u003cli\u003eThe application deletes the specified image file from the server\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe link to the deleted image in the target article is broken.\u003c/li\u003e\n\u003cli\u003eThe victim user, who owns the article, notices the missing image.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this IDOR vulnerability in Brave CMS versions prior to 2.0.6 allows attackers with edit permissions to arbitrarily delete images from articles they do not own. This can lead to data integrity issues, content manipulation, and potential denial of service by removing important visual elements from the website. The impact is limited to users with edit permissions within the CMS, but can affect any article and its associated media. The CVSS v3.1 base score for this vulnerability is 7.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Brave CMS to version 2.0.6 or later to patch the CVE-2026-35183 vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Brave CMS Image Deletion Attempt\u003c/code\u003e to detect unauthorized image deletion attempts by monitoring HTTP requests to the \u003ccode\u003edeleteImage\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview and harden access control policies within the Brave CMS application to ensure proper ownership validation for sensitive operations, such as image deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T20:16:26Z","date_published":"2026-04-06T20:16:26Z","id":"/briefs/2024-01-26-brave-cms-idor/","summary":"Brave CMS versions prior to 2.0.6 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability allowing authenticated users with edit permissions to delete images attached to articles owned by other users due to missing ownership verification in the deleteImage method.","title":"Brave CMS Insecure Direct Object Reference Vulnerability (CVE-2026-35183)","url":"https://feed.craftedsignal.io/briefs/2024-01-26-brave-cms-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35164"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-35164","rce","file-upload","brave-cms","ckeditor","php","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBrave CMS, an open-source content management system, is vulnerable to an unrestricted file upload vulnerability (CVE-2026-35164) in versions prior to 2.0.6. The vulnerability resides within the CKEditor upload functionality, specifically in the \u003ccode\u003eckupload\u003c/code\u003e method located in \u003ccode\u003eapp/Http/Controllers/Dashboard/CkEditorController.php\u003c/code\u003e. The application fails to properly validate the types of uploaded files, relying solely on user-provided input. This lack of validation enables an authenticated user to upload malicious PHP scripts, leading to arbitrary code execution on the server. The vulnerability was reported on April 6, 2026, and is fixed in Brave CMS version 2.0.6. Organizations using affected versions of Brave CMS are at risk of complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Brave CMS application as a user with upload privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a page or functionality within the CMS that utilizes the CKEditor for content creation or editing.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the CKEditor\u0026rsquo;s upload functionality to upload a malicious PHP script disguised as a legitimate file type (e.g., image).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eckupload\u003c/code\u003e method in \u003ccode\u003eapp/Http/Controllers/Dashboard/CkEditorController.php\u003c/code\u003e processes the uploaded file without proper validation of the file type or content.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP script is stored on the server in a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to directly access the uploaded PHP script via its URL.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP script, granting the attacker the ability to run arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence, installs a web shell, and performs lateral movement within the network, escalating privileges as needed to achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the affected Brave CMS server. This can lead to complete compromise of the CMS instance, including unauthorized access to sensitive data, modification of website content, and potential lateral movement to other systems on the network. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity level. Organizations running vulnerable versions of Brave CMS are at risk of data breaches, website defacement, and further exploitation of their infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Brave CMS to version 2.0.6 or later to remediate the unrestricted file upload vulnerability (CVE-2026-35164).\u003c/li\u003e\n\u003cli\u003eImplement server-side file validation to prevent the upload of malicious files, regardless of file extension.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to file uploads and execution of PHP scripts.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to access potentially malicious PHP files in the web server\u0026rsquo;s upload directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T18:16:42Z","date_published":"2026-04-06T18:16:42Z","id":"/briefs/2026-04-brave-cms-rce/","summary":"Brave CMS versions prior to 2.0.6 contain an unrestricted file upload vulnerability within the CKEditor upload functionality in the ckupload method, allowing authenticated users to upload executable PHP scripts and achieve Remote Code Execution.","title":"Brave CMS Unrestricted File Upload Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-brave-cms-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Brave-Cms","version":"https://jsonfeed.org/version/1.1"}