Brave CMS RCE via File Upload (CVE-2026-35164)

Overview

A high-severity remote code execution (RCE) vulnerability, tracked as CVE-2026-35164, affects Brave CMS versions prior to 2.0.6. The flaw resides in the platform’s CKEditor file upload component, allowing authenticated users to upload malicious files and take control of the server.

Vulnerability Details

The vulnerability is an unrestricted file upload flaw in the ckupload method within the CkEditorController.php file. This function handles file uploads through the CKEditor integration but completely fails to validate the type of file being uploaded. It relies on un-sanitized user input to determine the file’s destination and behavior. Consequently, an attacker with a standard user account can upload a file with a .php extension or other executable script. Once this malicious file is placed on the server’s web-accessible directory, the attacker can simply navigate to it in a web browser to trigger execution, achieving remote code execution with the privileges of the web server.

Impact

The impact of successful exploitation is severe. An attacker can achieve full compromise of the underlying server hosting Brave CMS. This allows for data theft, website defacement, installation of backdoors, and use of the server as a foothold for further attacks within the network. Given the low privilege requirement (any authenticated user) and the network-based attack vector, this vulnerability poses a significant risk to any unpatched Brave CMS installation.

Remediation and Mitigation

The primary and only complete remediation is to upgrade Brave CMS to version 2.0.6 or later, where this vulnerability has been patched. Administrators should perform this update immediately.

If an immediate upgrade is not possible, consider these temporary mitigation steps:

• Restrict or disable the CKEditor file upload functionality entirely via the dashboard if it is not strictly necessary.
• Implement external web application firewall (WAF) rules to block HTTP requests containing .php files in upload paths.
• Manually inspect the upload directory for any suspicious files uploaded recently and remove them.

After patching, review server logs and file upload directories for any signs of prior exploitation. For more on the tactics used in real-world breaches, you can review recent incidents in our breach reports.

Security Insight

This vulnerability highlights the persistent danger of trusting client-side controls for security. CKEditor often includes client-side file filtering, but as this case demonstrates, server-side validation is non-negotiable. It echoes a common pattern in CMS vulnerabilities where third-party editor integrations become a weak link, as seen in past incidents with WordPress and Drupal. The flaw suggests a gap in the vendor’s secure development lifecycle, where user-input handling in core controllers lacked fundamental validation checks.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs