Description
Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603.
Published: 2026-05-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Stored XSS results from the application storing CKEditor content without escaping and later rendering it using Laravel Blade's unescaped output directive {!! !!}. Consequently, any JavaScript or HTML injected by a user with editorial privileges is permanently persisted and executed in every visitor's browser when the page loads. This flaw enables client‑side code execution with the privileges of the logged‑in user and can be used to steal session cookies, modify page content, or redirect users to malicious sites.

Affected Systems

The flaw affects the open‑source content management system BraveCMS version 2.0, developed by Ajax30. The vulnerability existed prior to commit 6c56603; any installation of BraveCMS 2.0 before this commit is vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. A likely attack path requires an attacker to possess editorial privileges to inject malicious script via the CKEditor interface; once injected, the payload is stored and served to all visitors. Because the exploit leverages legitimate content editing, the barrier to exploitation is low for attackers who control or compromise an editorial account. No additional external attack vector is needed beyond the editor role.

Generated by OpenCVE AI on May 8, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit 6c56603 or upgrade BraveCMS to the latest version that includes this change.
  • Limit the editor role to trusted users only and enforce least‑privilege permissions for content editing.
  • Configure the application to escape or sanitize CKEditor output, replacing the unescaped Blade directive with proper escaping or a sanitizer library.
  • Implement a Content Security Policy to limit the impact of any residual XSS payloads.

Generated by OpenCVE AI on May 8, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Ajax30
Ajax30 bravecms-2.0
Vendors & Products Ajax30
Ajax30 bravecms-2.0

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603.
Title Ajax30/BraveCMS-2.0: Stored XSS in Page / Article Content
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Ajax30 Bravecms-2.0
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:27:10.583Z

Reserved: 2026-04-20T18:18:50.682Z

Link: CVE-2026-41524

cve-icon Vulnrichment

Updated: 2026-05-08T17:08:12.405Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T15:16:40.253

Modified: 2026-05-08T22:16:30.473

Link: CVE-2026-41524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:45:20Z

Weaknesses