https://feed.craftedsignal.io/tags/brave-cms/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 06 Apr 2026 20:16:26 +0000https://feed.craftedsignal.io/briefs/2026-04-brave-cms-privesc/Mon, 06 Apr 2026 20:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-brave-cms-privesc/Brave CMS versions prior to 2.0.6 are vulnerable to privilege escalation due to a missing authorization check in the update role endpoint, allowing any authenticated user to gain Super Admin privileges.Brave CMS, an open-source content management system, is susceptible to a critical vulnerability (CVE-2026-35182) affecting versions prior to 2.0.6. The vulnerability stems from a missing authorization check in the /rights/update-role/{id} endpoint, specifically within the routes/web.php file. The absence of the checkUserPermissions:assign-user-roles middleware on the POST route allows any authenticated user, regardless of their current role, to modify account roles. This enables malicious actors or internal users to elevate their privileges to Super Admin, granting them complete control over the CMS. This vulnerability poses a significant risk to organizations utilizing affected versions of Brave CMS, potentially leading to data breaches, system compromise, and unauthorized modifications.

Attack Chain

1. An attacker gains initial access to a Brave CMS instance with a valid, low-privilege user account (e.g., via compromised credentials or legitimate registration).
2. The attacker identifies the vulnerable endpoint /rights/update-role/{id} within the routes/web.php file.
3. The attacker crafts a POST request to /rights/update-role/{id}, where {id} is the user ID of the target account (e.g., their own or another user). The request body includes data to modify the target user’s role to ‘Super Admin’.
4. The Brave CMS application, lacking the checkUserPermissions:assign-user-roles middleware, processes the request without properly validating the attacker’s authorization to modify user roles.
5. The target user’s role is updated to ‘Super Admin’ in the CMS database.
6. The attacker, now possessing Super Admin privileges, can access all administrative functions within the Brave CMS.
7. The attacker can modify website content, install malicious plugins, create new admin accounts, and potentially gain access to the underlying server.
8. The attacker achieves full control of the Brave CMS instance, leading to potential data exfiltration, defacement, or denial-of-service.

Impact

Successful exploitation of CVE-2026-35182 can lead to complete compromise of the Brave CMS instance. An attacker gaining Super Admin privileges can modify or delete website content, inject malicious code, access sensitive data, and potentially pivot to other systems on the network. The impact can range from website defacement and data breaches to complete loss of control over the CMS and associated infrastructure. There is no information regarding how many victims are affected.

Recommendation

• Upgrade Brave CMS to version 2.0.6 or later to patch CVE-2026-35182.
• Deploy the Sigma rule “Detect Brave CMS Unauthorized Role Update” to detect exploitation attempts in web server logs.
• Monitor web server logs for POST requests to the /rights/update-role/ endpoint lacking proper authorization headers or originating from unusual IP addresses.
• Review user roles and permissions within Brave CMS to identify and remediate any unauthorized privilege escalations.

]]>criticaladvisorycve-2026-35182privilege-escalationweb-applicationbrave-cmshttps://feed.craftedsignal.io/briefs/2024-01-26-brave-cms-idor/Mon, 06 Apr 2026 20:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-26-brave-cms-idor/Brave CMS versions prior to 2.0.6 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability allowing authenticated users with edit permissions to delete images attached to articles owned by other users due to missing ownership verification in the deleteImage method.Brave CMS, an open-source content management system, is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability in versions prior to 2.0.6. The vulnerability resides within the deleteImage method in app/Http/Controllers/Dashboard/ArticleController.php. This flaw allows an authenticated user with edit permissions, regardless of article ownership, to delete images associated with other users’ articles. The root cause is the lack of proper ownership validation when processing image deletion requests. An attacker can exploit this vulnerability by crafting requests with the filenames of images belonging to other users’ articles, leading to unauthorized image deletion and potential data integrity issues. This issue was resolved in version 2.0.6 of Brave CMS.

Attack Chain

1. Attacker authenticates to the Brave CMS application with an account that has edit permissions.
2. Attacker identifies the filename of an image attached to an article that they do not own. This can be achieved through inspecting the HTML source code of the article page or by querying the database directly (if accessible).
3. Attacker crafts a malicious HTTP request targeting the deleteImage endpoint (app/Http/Controllers/Dashboard/ArticleController.php).
4. The malicious request includes the filename of the target image in the URL parameters.
5. The deleteImage method processes the request without verifying if the authenticated user owns the article to which the image is attached.
6. The application deletes the specified image file from the server’s file system.
7. The link to the deleted image in the target article is broken.
8. The victim user, who owns the article, notices the missing image.

Impact

Successful exploitation of this IDOR vulnerability in Brave CMS versions prior to 2.0.6 allows attackers with edit permissions to arbitrarily delete images from articles they do not own. This can lead to data integrity issues, content manipulation, and potential denial of service by removing important visual elements from the website. The impact is limited to users with edit permissions within the CMS, but can affect any article and its associated media. The CVSS v3.1 base score for this vulnerability is 7.1.

Recommendation

• Upgrade Brave CMS to version 2.0.6 or later to patch the CVE-2026-35183 vulnerability.
• Implement the Sigma rule Detect Brave CMS Image Deletion Attempt to detect unauthorized image deletion attempts by monitoring HTTP requests to the deleteImage endpoint.
• Review and harden access control policies within the Brave CMS application to ensure proper ownership validation for sensitive operations, such as image deletion.

]]>mediumadvisoryidorbrave-cmsvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-brave-cms-rce/Mon, 06 Apr 2026 18:16:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-brave-cms-rce/Brave CMS versions prior to 2.0.6 contain an unrestricted file upload vulnerability within the CKEditor upload functionality in the ckupload method, allowing authenticated users to upload executable PHP scripts and achieve Remote Code Execution.Brave CMS, an open-source content management system, is vulnerable to an unrestricted file upload vulnerability (CVE-2026-35164) in versions prior to 2.0.6. The vulnerability resides within the CKEditor upload functionality, specifically in the ckupload method located in app/Http/Controllers/Dashboard/CkEditorController.php. The application fails to properly validate the types of uploaded files, relying solely on user-provided input. This lack of validation enables an authenticated user to upload malicious PHP scripts, leading to arbitrary code execution on the server. The vulnerability was reported on April 6, 2026, and is fixed in Brave CMS version 2.0.6. Organizations using affected versions of Brave CMS are at risk of complete system compromise.

Attack Chain

1. Attacker authenticates to the Brave CMS application as a user with upload privileges.
2. The attacker navigates to a page or functionality within the CMS that utilizes the CKEditor for content creation or editing.
3. The attacker uses the CKEditor’s upload functionality to upload a malicious PHP script disguised as a legitimate file type (e.g., image).
4. The ckupload method in app/Http/Controllers/Dashboard/CkEditorController.php processes the uploaded file without proper validation of the file type or content.
5. The malicious PHP script is stored on the server in a publicly accessible directory.
6. The attacker crafts a request to directly access the uploaded PHP script via its URL.
7. The web server executes the PHP script, granting the attacker the ability to run arbitrary commands on the server.
8. The attacker establishes persistence, installs a web shell, and performs lateral movement within the network, escalating privileges as needed to achieve their objectives.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the affected Brave CMS server. This can lead to complete compromise of the CMS instance, including unauthorized access to sensitive data, modification of website content, and potential lateral movement to other systems on the network. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity level. Organizations running vulnerable versions of Brave CMS are at risk of data breaches, website defacement, and further exploitation of their infrastructure.

Recommendation

• Upgrade Brave CMS to version 2.0.6 or later to remediate the unrestricted file upload vulnerability (CVE-2026-35164).
• Implement server-side file validation to prevent the upload of malicious files, regardless of file extension.
• Monitor web server logs for suspicious activity related to file uploads and execution of PHP scripts.
• Deploy the following Sigma rule to detect attempts to access potentially malicious PHP files in the web server’s upload directories.

]]>criticaladvisorycve-2026-35164rcefile-uploadbrave-cmsckeditorphpwebserver