CVE-2026-41524 PUBLISHED

Ajax30/BraveCMS-2.0: Stored XSS in Page / Article Content

Assigner: GitHub_M
Reserved: 20.04.2026 Published: 08.05.2026 Updated: 08.05.2026

Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score: 8.7

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Ajax30
Product	BraveCMS-2.0
Versions	Version < 6c5660373cf5f0ca9181603280427aca46ef11ea is affected

References

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE