CVE-2026-35164

HighPublic PoC

Published: 06 April 2026

Published

06 April 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0033 56.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Brave CMS is an open-source CMS. Prior to 2.0.6, an unrestricted file upload vulnerability exists in the CKEditor upload functionality. It is found in app/Http/Controllers/Dashboard/CkEditorController.php within the ckupload method. The method fails to validate uploaded file types and relies entirely…

on user input. This allows an authenticated user to upload executable PHP scripts and gain Remote Code Execution. This vulnerability is fixed in 2.0.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the failure to validate uploaded file types in the CKEditor ckupload method, preventing arbitrary executable PHP uploads.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on file types and sizes at upload interfaces, blocking dangerous files like executable PHP scripts.

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the specific flaw in Brave CMS versions prior to 2.0.6 to remediate the unrestricted upload vulnerability.

Security SummaryAI

CVE-2026-35164 is an unrestricted file upload vulnerability in Brave CMS, an open-source content management system. The issue affects versions prior to 2.0.6 and resides in the CKEditor upload functionality, specifically within the `ckupload` method of `app/Http/Controllers/Dashboard/CkEditorController.php`. This method fails to validate uploaded file types and relies entirely on user-supplied input, enabling the upload of arbitrary files. It has been assigned CWE-434 (Unrestricted Upload of File with Dangerous Type) and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By uploading executable PHP scripts through the CKEditor upload endpoint, the attacker achieves remote code execution (RCE) on the server, potentially leading to full compromise with high impacts on confidentiality, integrity, and availability.

The GitHub security advisory (GHSA-2j4q-6p52-4rhw) confirms that the vulnerability is fixed in Brave CMS version 2.0.6. Security practitioners should urge users to upgrade to this patched version immediately, as no additional mitigations are detailed in the provided references.

Details

CWE(s): CWE-434

Affected Products

ajax30

bravecms

2.0.0 — 2.0.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unrestricted file upload in public-facing CMS (Brave CMS) enables exploitation of public-facing application (T1190) to upload and execute PHP web shells (T1100) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-2j4q-6p52-4rhw
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-2j4q-6p52-4rhw
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0