CVE-2026-35047

Critical

Published: 06 April 2026

Published

06 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0036 58.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35047 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ajax30 Bravecms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates unrestricted file uploads by validating uploaded files against dangerous types and contents at the CKEditor endpoint.

SI-2 Flaw Remediation good match

prevent

Addresses the specific vulnerability by requiring timely remediation through patching to version 2.0.6 or later.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on file upload inputs to permit only safe types, blocking executable scripts at the vulnerable endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing web application (T1190) via unrestricted file upload in CKEditor endpoint, allowing unauthenticated RCE through executable script upload, directly facilitating web shell deployment (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vulnerability in the CKEditor endpoint allows attackers to upload arbitrary files, including executable scripts. This may lead to Remote Code Execution (RCE) on the server, potentially resulting…

in full system compromise, data exfiltration, or service disruption. All users running affected versions of BraveCMS are impacted. This vulnerability is fixed in 2.0.6.

Deeper analysisAI

CVE-2026-35047 is an unrestricted file upload vulnerability affecting Brave CMS, an open-source content management system, in versions prior to 2.0.6. The flaw resides in the CKEditor endpoint, which permits attackers to upload arbitrary files, including executable scripts. This issue, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote code execution (RCE) on the server.

The vulnerability can be exploited remotely by unauthenticated attackers with no privileges or user interaction required. By sending a malicious file upload request to the affected CKEditor endpoint, an attacker can upload executable scripts, leading to RCE. Successful exploitation may result in full server compromise, data exfiltration, or service disruption, impacting all users running vulnerable versions of BraveCMS.

Mitigation is available through the patch released in BraveCMS version 2.0.6. The GitHub security advisory (GHSA-9rcc-w59j-965v), associated pull request (#122), and fixing commit (058ee4ed7c2b39d540af8274024afcbc9532aa83) detail the resolution, recommending immediate upgrades for all affected installations.