CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23086
https://notcve.org/view.php?id=CVE-2025-23086
21 Jan 2025 — On most desktop platforms, Brave Browser versions 1.70.x-1.73.x included a feature to show a site's origin on the OS-provided file selector dialog when a site prompts the user to upload or download a file. However the origin was not correctly inferred in some cases. When combined with an open redirector vulnerability on a trusted site, this could allow a malicious site to initiate a download whose origin in the file select dialog appears as the trusted site which initiated the redirect. En la mayoría de las... • https://hackerone.com/reports/2888770 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37406
https://notcve.org/view.php?id=CVE-2024-37406
18 Sep 2024 — In Brave Android prior to v1.67.116, domains in the Brave Shields popup are elided from the right instead of the left, which may lead to domain confusion. • https://hackerone.com/reports/2501378 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43337 – WordPress Brave plugin <= 0.7.0 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-43337
16 Aug 2024 — Cross-Site Request Forgery (CSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.7.0. The Brave Popup Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.7.0. This is due to missing or incorrect nonce validation on the bravepop_ajax_zoho_init_token() function. This makes it possible for unauthenticated attackers to save an integration token via a forged request granted they can trick a site admini... • https://patchstack.com/database/vulnerability/brave-popup-builder/wordpress-brave-plugin-0-7-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30453 – WordPress Brave plugin <= 0.6.5 - Server Side Request Forgery (SSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-30453
28 Mar 2024 — Server-Side Request Forgery (SSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.6.5. Vulnerabilidad de Server-Side Request Forgery (SSRF) en Brave Brave Popup Builder. Este problema afecta a Brave Popup Builder: desde n/a hasta 0.6.5. The Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.6.5. This makes i... • https://patchstack.com/database/vulnerability/brave-popup-builder/wordpress-brave-plugin-0-6-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52263
https://notcve.org/view.php?id=CVE-2023-52263
30 Dec 2023 — Brave Browser before 1.59.40 does not properly restrict the schema for WebUI factory and redirect. This is related to browser/brave_content_browser_client.cc and browser/ui/webui/brave_web_ui_controller_factory.cc. Brave Browser anterior a 1.59.40 no restringe adecuadamente el esquema para la fábrica WebUI y la redirección. Esto está relacionado con browser/brave_content_browser_client.cc y browser/ui/webui/brave_web_ui_controller_factory.cc. • https://github.com/brave/brave-browser/issues/32449 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-28364
https://notcve.org/view.php?id=CVE-2023-28364
30 Jun 2023 — An Open Redirect vulnerability exists prior to version 1.52.117, where the built-in QR scanner in Brave Browser Android navigated to scanned URLs automatically without showing the URL first. Now the user must manually navigate to the URL. • https://hackerone.com/reports/1946534 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28360
https://notcve.org/view.php?id=CVE-2023-28360
11 May 2023 — An omission of security-relevant information vulnerability exists in Brave desktop prior to version 1.48.171 when a user was saving a file there was no download safety check dialog presented to the user. • https://hackerone.com/reports/1848062 • CWE-223: Omission of Security-relevant Information •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22798
https://notcve.org/view.php?id=CVE-2023-22798
09 Feb 2023 — Prior to commit 51867e0d15a6d7f80d5b714fd0e9976b9c160bb0, https://github.com/brave/adblock-lists removed redirect interceptors on some websites like Facebook in which the redirect interceptor may have been there for security purposes. This could potentially cause open redirects on these websites. Brave's redirect interceptor removal feature is known as "debouncing" and is intended to remove unnecessary redirects that track users across the web. • https://hackerone.com/reports/1579374 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-47932
https://notcve.org/view.php?id=CVE-2022-47932
24 Dec 2022 — Brave Browser before 1.43.34 allowed a remote attacker to cause a denial of service via a crafted HTML file that mentions an ipfs:// or ipns:// URL. This vulnerability is caused by an incomplete fix for CVE-2022-47933. Brave Browser anterior a 1.43.34 permitía a un atacante remoto provocar una Denegación de Servicio (DoS) a través de un archivo HTML manipulado que menciona una URL ipfs:// o ipns://. Esta vulnerabilidad se debe a una solución incompleta para CVE-2022-47933. • https://github.com/brave/brave-browser/issues/24093 •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-47933
https://notcve.org/view.php?id=CVE-2022-47933
24 Dec 2022 — Brave Browser before 1.42.51 allowed a remote attacker to cause a denial of service via a crafted HTML file that references the IPFS scheme. This vulnerability is caused by an uncaught exception in the function ipfs::OnBeforeURLRequest_IPFSRedirectWork() in ipfs_redirect_network_delegate_helper.cc. Brave Browser anterior a 1.42.51 permitía a un atacante remoto provocar una Denegación de Servicio (DoS) a través de un archivo HTML manipulado que hace referencia al esquema IPFS. Esta vulnerabilidad es causada ... • https://github.com/brave/brave-browser/issues/23646 • CWE-755: Improper Handling of Exceptional Conditions •