CVE-2026-41576

Vulnerability

Overview

CVE-2026-41576 describes an HTML injection vulnerability in Brave CMS, an open-source content management system. The contact form is publicly accessible without authentication. User-supplied message text is processed through PHP's nl2br() function, which converts newlines to <br> tags but does not escape HTML. The resulting string is then embedded into a Blade email template using the unescaped {!! $msg !!} directive, allowing arbitrary HTML markup to be injected into the email body sent to the site administrator [1][2].

Exploitation and

Attack Surface

An attacker can submit a crafted message via the contact form (POST /contact) containing malicious HTML. The server processes the message with nl2br() and inserts it unescaped into the email template. The administrator receives the email in an HTML-capable client such as Gmail or Outlook Web. While modern email clients typically block JavaScript execution, they still render HTML content, allowing the attacker to inject convincing phishing interfaces, such as fake login prompts or security alerts [2].

Impact

Successful exploitation allows an attacker to craft deceptive UI elements within the email, potentially leading to credential harvesting or redirection to attacker-controlled domains. The attack relies on user interaction (the administrator opening the email and interacting with the content) but requires no authentication to the CMS [2].

Mitigation

The issue has been patched via commit 6c56603, which introduces proper HTML sanitization for user-supplied content in the contact form and other areas [1]. Administrators are advised to update to the latest version of Brave CMS that includes this fix.