High severity8.7NVD Advisory· Published May 8, 2026· Updated May 8, 2026

CVE-2026-41524

Description

Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11eanvd
github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-xj46-722x-6433nvd

News mentions

No linked articles in our index yet.

cvss	0.565
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000