| ID |
CVE-2026-41524
|
| Sažetak |
Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603. |
| Reference |
|
| CVSS |
| Base: | 8.7 |
| Impact: | 5.8 |
| Exploitability: | 2.3 |
|
| Pristup |
| Vektor | Složenost | Autentikacija |
| NETWORK |
LOW |
LOW |
|
| Impact |
| Povjerljivost | Cjelovitost | Dostupnost |
| HIGH |
HIGH |
NONE |
|
| CVSS vektor |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
| Zadnje važnije ažuriranje |
08-05-2026 - 22:16 |
| Objavljeno |
08-05-2026 - 15:16 |
