Cyber Resilience

CVE-2026-35164

HighPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0071 48.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35164 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ajax30 Bravecms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35164 is an unrestricted file upload vulnerability in Brave CMS, an open-source content management system. The issue affects versions prior to 2.0.6 and resides in the CKEditor upload functionality, specifically within the `ckupload` method of `app/Http/Controllers/Dashboard/CkEditorController.php`. This method fails to validate uploaded file types and relies entirely on user-supplied input, enabling the upload of arbitrary files. It has been assigned CWE-434 (Unrestricted Upload of File with Dangerous Type) and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By uploading executable PHP scripts through the CKEditor upload endpoint, the attacker achieves remote code execution (RCE) on the server, potentially leading to full compromise with high impacts on confidentiality, integrity, and availability.

The GitHub security advisory (GHSA-2j4q-6p52-4rhw) confirms that the vulnerability is fixed in Brave CMS version 2.0.6. Security practitioners should urge users to upgrade to this patched version immediately, as no additional mitigations are detailed in the provided references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Brave CMS is an open-source CMS. Prior to 2.0.6, an unrestricted file upload vulnerability exists in the CKEditor upload functionality. It is found in app/Http/Controllers/Dashboard/CkEditorController.php within the ckupload method. The method fails to validate uploaded file types and relies entirely…

more

on user input. This allows an authenticated user to upload executable PHP scripts and gain Remote Code Execution. This vulnerability is fixed in 2.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing CMS (Brave CMS) enables exploitation of public-facing application (T1190) to upload and execute PHP web shells (T1100) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35047Same product: Ajax30 Bravecms
CVE-2026-35183Same product: Ajax30 Bravecms
CVE-2026-35182Same product: Ajax30 Bravecms
CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434

Affected Assets

ajax30
bravecms
2.0.0 — 2.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the failure to validate uploaded file types in the CKEditor ckupload method, preventing arbitrary executable PHP uploads.

prevent

Enforces restrictions on file types and sizes at upload interfaces, blocking dangerous files like executable PHP scripts.

prevent

Requires timely patching of the specific flaw in Brave CMS versions prior to 2.0.6 to remediate the unrestricted upload vulnerability.

References