Executive Summary

CVE-2026-41576 is a stored HTML injection vulnerability in the contact email functionality of BraveCMS-2.0. The contact form is publicly accessible without authentication, and user-submitted messages are processed using PHP's nl2br() function, which converts newlines to <br> tags but does not escape HTML.

The processed message is then embedded into an email template using the unescaped Blade directive {!! $msg !!}, allowing attackers to inject arbitrary HTML markup into the email body sent to administrators.

Although modern email clients block JavaScript execution, they still render HTML content, enabling attackers to craft convincing phishing interfaces inside the email, such as fake login prompts or system messages.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to credential harvesting or redirection to malicious domains by allowing attackers to impersonate trusted user interface elements within emails sent to administrators.

If an administrator interacts with the malicious content, such as entering credentials into a fake login prompt, the data can be submitted to an attacker-controlled endpoint.

The confidentiality impact is high because sensitive administrator credentials could be stolen, while the integrity and availability impacts are low or none.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the contact form of BraveCMS-2.0 for HTML injection in the email messages sent to administrators.

Specifically, an attacker can submit a message containing HTML markup through the publicly accessible contact form and observe if the resulting email renders the injected HTML without escaping.

To detect this on your system, you can perform the following steps:

• Submit a test message via the contact form containing HTML tags, such as <b>test</b> or a simple script tag.
• Check the administrator's received email to see if the HTML tags are rendered as HTML rather than escaped text.
• Use network monitoring tools (e.g., tcpdump or Wireshark) to capture SMTP traffic and inspect the email content for unescaped HTML.
• Example command to capture SMTP traffic on port 25: sudo tcpdump -i any port 25 -A
• Alternatively, check the email templates in the BraveCMS source code for usage of unescaped Blade directives like {!! $msg !!}.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Apply the patch from commit 6c56603 or upgrade BraveCMS to a version that includes this fix.
• Modify the email template to escape user input by replacing the unescaped Blade directive {!! $msg !!} with the escaped version {{ $msg }}.
• Implement server-side HTML sanitization on user-supplied message content before rendering it in emails.
• Consider disabling or restricting the contact form to authenticated users only, if possible.
• Educate administrators to be cautious with email content from the contact form and avoid interacting with suspicious HTML content.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to inject arbitrary HTML into emails sent to administrators, potentially leading to credential harvesting through phishing interfaces. The compromise of administrator credentials and potential unauthorized access to sensitive data could result in violations of data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Specifically, the high confidentiality impact means that sensitive information could be exposed, which may trigger breach notification requirements and penalties under these regulations.

Useful 0 Not Useful 0