Insecure Direct Object Reference in Brave CMS Image Deletion Feature
CVE-2026-35183

7.1HIGH

Key Information:

Vendor: Ajax30
Status: Bravecms-2.0
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35183?

Brave CMS, an open-source content management system, contains an Insecure Direct Object Reference vulnerability in the article image deletion feature. In versions before 2.0.6, the deleteImage method located in app/Http/Controllers/Dashboard/ArticleController.php allows authenticated users with edit permissions to remove images associated with articles owned by other users. This flaw arises because the system fails to verify the ownership of the requested image filename before processing the deletion request. This oversight can lead to unauthorized data manipulation and necessitates immediate attention and patching in version 2.0.6.

Affected Version(s)

BraveCMS-2.0 < 2.0.6

References

https://github.com/Ajax30/BraveCMS-2.0/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35183 Data

JSON