Arbitrary file upload in Ajax30 Bravecms-2.0

CVE-2026-35047

Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vulnerability in the CKEditor endpoint allows attackers to upload arbitrary files, including executable scripts. This may lead to Remote Code Execution (RCE) on t…

Vulnerability class: Unrestricted File Upload

EPSS: 0.004 (58.5th percentile) — read the EPSS interpretation.

Affected products

Ajax30 Bravecms-2.0 — versions < 2.0.6

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-9rcc-w59j-965v (x_refsource_CONFIRM)
https://github.com/Ajax30/BraveCMS-2.0/pull/122 (x_refsource_MISC)
https://github.com/Ajax30/BraveCMS-2.0/commit/058ee4ed7c2b39d540af8274024afcbc9532aa83 (x_refsource_MISC)