Lucene search
K

119 matches found

Cvelist
Cvelist
added 2026/04/30 6:22 p.m.29 views

CVE-2026-40601 Chartbrew: Missing Authorization in /api/chart/:chart_id/query via team-level refresh toggle

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chartid/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the...

7.5CVSS0.00326EPSS
Exploits0References2
CVE
CVE
added 2026/04/30 6:22 p.m.9 views

CVE-2026-40601

Chartbrew 4.9.0 exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify chart ownership, report/public status, or sharing policy, allowing an unauthenticated attacker who knows a chart ID to trigger a data refresh and re...

7.5CVSS5.4AI score0.00326EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/30 6:22 p.m.6 views

CVE-2026-40601

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chartid/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the...

7.5CVSS5.3AI score0.00326EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/30 6:22 p.m.11 views

EUVD-2026-26409

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chartid/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the...

7.5CVSS5.4AI score0.00326EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/30 6:22 p.m.2 views

CVE-2026-40600 Chartbrew: Incorrect Access Control in project share policy routes via unbound policy_id

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affect...

8.1CVSS5.3AI score0.00232EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/30 6:22 p.m.37 views

CVE-2026-40600 Chartbrew: Incorrect Access Control in project share policy routes via unbound policy_id

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affect...

8.1CVSS0.00232EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/30 6:22 p.m.5 views

EUVD-2026-26408

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affect...

8.1CVSS5.3AI score0.00232EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/30 6:22 p.m.5 views

CVE-2026-40600

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affect...

8.1CVSS5.3AI score0.00232EPSS
Exploits0References3
CVE
CVE
added 2026/04/30 6:22 p.m.9 views

CVE-2026-40600

Chartbrew prior to 5.0.0 allowed cross-project modification of SharePolicy because policy_id was not verified against the target project. Authenticated users with access to one project could update/delete sharing rules (visibility, password requirements, allowed parameters, expiration). Patch rel...

8.1CVSS5.3AI score0.00232EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/30 6:21 p.m.32 views

CVE-2026-40595 Chartbrew: Incorrect Access Control in public chart and export routes via missing onReport and SharePolicy checks

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. Th...

7.5CVSS0.00275EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/30 6:21 p.m.8 views

CVE-2026-40595

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. Th...

7.5CVSS5.3AI score0.00275EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/30 6:21 p.m.6 views

EUVD-2026-26407

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. Th...

7.5CVSS5.3AI score0.00275EPSS
Exploits0References2
CVE
CVE
added 2026/04/30 6:21 p.m.11 views

CVE-2026-40595

Chartbrew 4.9.0 exposes public chart retrieval and export endpoints that only check project-level public access (and, for exports, a team-level toggle) without validating that the chart is allowed on the public report or that SharePolicy permits public access. An unauthenticated attacker who know...

7.5CVSS5.3AI score0.00275EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/30 6:21 p.m.5 views

CVE-2026-35514 Unauthenticated Account Registration via /user/invited Bypasses All Signup Restrictions in Chartbrew

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

6.5CVSS5.7AI score0.00243EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/30 6:21 p.m.34 views

CVE-2026-35514 Unauthenticated Account Registration via /user/invited Bypasses All Signup Restrictions in Chartbrew

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

6.5CVSS0.00243EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/30 6:21 p.m.6 views

EUVD-2026-26405

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

6.5CVSS5.4AI score0.00243EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/30 6:21 p.m.2 views

CVE-2026-35514

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

6.5CVSS5.4AI score0.00243EPSS
Exploits0References3
CVE
CVE
added 2026/04/30 6:21 p.m.13 views

CVE-2026-35514

Vulnerability overview : Chartbrew 4.9.0 contains an unauthenticated account creation bypass via POST /user/invited, which does not validate invite tokens, authentication headers, or sessions. This allows any unauthenticated user to create a fully active account and obtain a valid JWT, even when ...

6.5CVSS5.4AI score0.00243EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/30 6:20 p.m.3 views

CVE-2026-40904 Chartbrew: Incorrect Access Control in dataset and dataRequest routes via team-scoped permission checks

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the...

8.1CVSS5.3AI score0.00235EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/30 6:20 p.m.2 views

CVE-2026-40904

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the...

8.1CVSS5.3AI score0.00235EPSS
Exploits0References3
Rows per page
Query Builder