PT-2026-39138 · Brave Cms · Brave Cms
Smitocaru
·
Published
2026-05-08
·
Updated
2026-05-26
·
CVE-2026-41524
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Brave CMS versions prior to commit 6c56603
Description
Page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and rendered using Laravel Blade's unescaped output directive {!! !!}. This allows an editor-role user to inject JavaScript or HTML that is permanently stored and executed in the browser of every visitor when the page loads.
Recommendations
Update to the version containing commit 6c56603.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Brave Cms