Brave CMS Vulnerability: Phishing via Unescaped Contact Form

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-79
Brave CMS Vulnerability: Phishing via Unescaped Contact Form

The National Vulnerability Database has disclosed CVE-2026-41576, a high-severity vulnerability (CVSS 7.1) in Brave CMS, an open-source content management system. Prior to commit 6c56603, the contact form on Brave CMS installations was publicly accessible without authentication. This flaw allowed unauthenticated users to inject arbitrary HTML into emails sent to administrators.

The vulnerability stems from insufficient sanitization. While user-supplied message text was processed by PHP’s nl2br() function, which converts newlines to <br> tags, it failed to escape other HTML characters. This unsanitized input was then rendered directly in a Blade email template using the unescaped {!! $msg !!} directive. Although modern email clients typically block JavaScript execution, they still render HTML, enabling attackers to craft highly convincing phishing interfaces directly within administrator emails.

The attacker’s calculus here is straightforward: leverage a trusted communication channel (the site’s own contact form) to deliver a malicious payload directly to a high-value target (the administrator). This isn’t about code execution on the server, but about social engineering a recipient through a highly credible vector. Defenders need to understand that this kind of HTML injection creates a powerful illusion of legitimacy, making it far more effective than generic phishing attempts. The issue has been patched in commit 6c56603.

What This Means For You

  • If your organization uses Brave CMS, you need to immediately verify that your installation is updated to at least commit 6c56603 or a later version. This HTML injection vulnerability creates a direct path for attackers to deliver highly convincing phishing attacks to your administrators. Audit your Brave CMS instance and ensure this patch is applied to mitigate the risk of targeted social engineering.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1566.002 Phishing: Spearphishing Attachment Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-41576 - Brave CMS Unescaped Contact Form HTML Injection

Sigma YAML — free preview 
title: CVE-2026-41576 - Brave CMS Unescaped Contact Form HTML Injection
id: scw-2026-05-08-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-41576 by submitting crafted HTML/JavaScript payloads through the Brave CMS contact form. The vulnerability allows arbitrary HTML injection due to unescaped user input in the message field, which is then rendered in email templates. This rule specifically looks for POST requests to a '/contact' URI containing common JavaScript alert patterns within the URI itself, indicative of an attempted exploit.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41576/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/contact'
      cs-method|exact:
          - 'POST'
      uri|contains:
          - '<script>'
      uri|contains:
          - 'alert('
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41576 XSS Brave CMS prior to commit 6c56603
CVE-2026-41576 XSS Brave CMS contact form
CVE-2026-41576 XSS Unescaped {!! $msg !!} directive in Blade email template
CVE-2026-41576 Code Injection HTML injection into email body via user-supplied message text

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 18:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma