{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35183", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.133Z", "datePublished": "2026-04-06T19:11:28.807Z", "dateUpdated": "2026-04-06T19:11:28.807Z"}, "containers": {"cna": {"title": "Brave CMS has an Insecure Direct Object Reference in Article Image Deletion", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-cpf3-fxwg-cwr3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-cpf3-fxwg-cwr3"}], "affected": [{"vendor": "Ajax30", "product": "BraveCMS-2.0", "versions": [{"version": "< 2.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:11:28.807Z"}, "descriptions": [{"lang": "en", "value": "Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL but does not verify ownership. This allows an authenticated user with edit permissions to delete images attached to articles owned by other users. This vulnerability is fixed in 2.0.6."}], "source": {"advisory": "GHSA-cpf3-fxwg-cwr3", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL but does not verify ownership. This allows an authenticated user with edit permissions to delete images attached to articles owned by other users. This vulnerability is fixed in 2.0.6."}], "id": "CVE-2026-35183", "lastModified": "2026-04-06T20:16:26.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T20:16:26.727", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-cpf3-fxwg-cwr3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BraveCMS-2.0", "source": "cna", "vendor": "Ajax30"}, "product": "bravecms-2.0", "vendor": "ajax30"}], "analysis": {"en": {"generated_at": "2026-04-07T01:38:13.549069+00:00", "value": {"mitigation_remediation": ["Upgrade Brave CMS to version 2.0.6 or later to remove the IDOR flaw.", "If immediate upgrade is not possible, restrict edit permissions so that only image owners can perform deletion actions.", "Modify the deleteImage endpoint to verify that the authenticated user is the owner of the article image before allowing deletion.", "Monitor logs for unauthorized deletion attempts and review user activity related to image management."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Deletion of Article Images"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Ajax30 BraveCMS 2.0 series prior to version 2.0.6. Any deployment of Brave CMS containers or installations based on the 2.0 release that have not applied the 2.0.6 patch is susceptible. Users should verify their version, and the patch is available in the 2.0.6 update released by the vendor.", "description_and_impact": "Brave CMS contains an insecure direct object reference that enables an authenticated user with edit permissions to delete images attached to articles belonging to other users. The flaw lies in the deleteImage method of the ArticleController, which receives a filename from the URL without verifying the owner. This lack of ownership validation allows the deletion of image files that may be critical to other authors\u2019 content, leading to integrity loss and potential disruption of publications.", "risk_and_exploitability": "The CVSS score of 7.1 indicates medium\u2011to\u2011high severity. The vulnerability requires the attacker to be an authenticated user with edit rights; this is typical of CMS editors or authors. Exploitation involves sending a crafted URL to the deleteImage endpoint with a target image\u2019s filename, which the application then deletes without permission checks. Since the EPSS score is unavailable and the issue is not listed in KEV, the risk is based primarily on the reported severity and the preponderance of user accounts with edit privileges. The attack vector is inferred to be remote, via the web interface, as the deletion request is performed over HTTP/HTTPS."}}}}, "created": "2026-04-07T06:54:28.742178+00:00", "updated": "2026-04-07T09:37:31.186112+00:00", "vendors": ["ajax30", "ajax30$PRODUCT$bravecms-2.0"]}