CVE-2026-35183

Published April 7, 2026 · Updated April 7, 2026

7.1CVSS

high

What This Means

CVE-2026-35183 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability found in the Brave CMS prior to version 2.0.6. This vulnerability allows authenticated users with edit permissions to delete images from articles they do not own, posing a risk of unauthorized data deletion. Update Brave CMS to version 2.0.6 or later to mitigate this vulnerability.

Official Description+

Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL but does not verify ownership. This allows an authenticated user with edit permissions to delete images attached to articles owned by other users. This vulnerability is fixed in 2.0.6.

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-35183.

Related Coverage

Vvulnerability

Exploit the IDOR Vulnerability: CVE-2026-35183 in Brave CMS

CVE-2026-35183 is a high-severity IDOR vulnerability in Brave CMS prior to version 2.0.6, allowing unauthorized image deletion via the image deletion feature. Update to version 2.0.6 or later to fix this issue.

NVD·8h ago·3 min read