119 matches found
CVE-2026-27605 Chartbrew: Stored Cross-Site Scripting (XSS) via File Upload API
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files project logos without validating the file type or content. It trusts the extension provided by the user...
CVE-2026-27605
CVE-2026-27605 affects Chartbrew before 4.8.4. The app allowed uploading logos without validating file type/content, trusting user-provided extensions and saving files to uploads/ for static serving. An attacker could upload an HTML file with malicious JavaScript, and since authentication tokens ...
CVE-2026-27605 Chartbrew: Stored Cross-Site Scripting (XSS) via File Upload API
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files project logos without validating the file type or content. It trusts the extension provided by the user...
CVE-2026-27603 Chartbrew: Unauthenticated Chart Filter Endpoint: POST /project/:project_id/chart/:chart_id/filter missing verifyToken + checkPermissions
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:projectid/chart/:chartid/filter is missing both verifyToken and checkPermissions middleware, allowing...
CVE-2026-27603 Chartbrew: Unauthenticated Chart Filter Endpoint: POST /project/:project_id/chart/:chart_id/filter missing verifyToken + checkPermissions
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:projectid/chart/:chartid/filter is missing both verifyToken and checkPermissions middleware, allowing...
CVE-2026-27603 Chartbrew: Unauthenticated Chart Filter Endpoint: POST /project/:project_id/chart/:chart_id/filter missing verifyToken + checkPermissions
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:projectid/chart/:chartid/filter is missing both verifyToken and checkPermissions middleware, allowing...
EUVD-2026-9979
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:projectid/chart/:chartid/filter is missing both verifyToken and checkPermissions middleware, allowing...
CVE-2026-27603
Chartbrew is an open-source web app that prior to version 4.8.4 exposed chart data via POST /project/:project_id/chart/:chart_id/filter due to missing verifyToken and checkPermissions middleware. This allowed unauthenticated access to chart data across teams/projects. The issue is fixed in versio...
CVE-2026-27005 Chartbrew: SQL injection in date-type variable handling (applyMysqlOrPostgresVariables)
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew MySQL, PostgreSQL. This allows...
CVE-2026-27005
Chartbrew prior to version 4.8.3 is vulnerable to unauthenticated SQL injection in queries executed against connected databases (MySQL, PostgreSQL). The root cause is arbitrary SQL being injected via user-supplied input in queries, potentially allowing reading, modification, or deletion of data d...
EUVD-2026-9978
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew MySQL, PostgreSQL. This allows...
CVE-2026-27005 Chartbrew: SQL injection in date-type variable handling (applyMysqlOrPostgresVariables)
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew MySQL, PostgreSQL. This allows...
CVE-2026-27005 Chartbrew: SQL injection in date-type variable handling (applyMysqlOrPostgresVariables)
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew MySQL, PostgreSQL. This allows...
CVE-2026-25888
CVE-2026-25888 affects Chartbrew, an open‑source web application that can connect to databases and APIs to generate charts. A remote code execution vulnerability exists in versions prior to 4.8.1 through a vulnerable API, enabling an attacker with network access and low privileges, with no user i...
CVE-2026-25888 Chartbrew: Remote Code Execution (RCE) via Vulnerable API
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1...
CVE-2026-25888 Chartbrew: Remote Code Execution (RCE) via Vulnerable API
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1...
CVE-2026-25888 Chartbrew: Remote Code Execution (RCE) via Vulnerable API
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1...
EUVD-2026-9977
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1...
CVE-2026-25887
Chartbrew is affected prior to version 4.8.1 with a remote code execution vulnerability via the MongoDB dataset Query. The issue, classified as CVSS 3.1 Base Score 7.2 (HIGH), has been patched in version 4.8.1. Affected: Chartbrew
CVE-2026-25887 Chartbrew: Remote Code Execution (RCE) via MongoDB Dataset Query
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has been patched in version 4.8.1...