Lucene search
K

8 matches found

CVE
CVE
added 2026/03/06 4:7 a.m.26 views

CVE-2026-27603

Chartbrew is an open-source web app that prior to version 4.8.4 exposed chart data via POST /project/:project_id/chart/:chart_id/filter due to missing verifyToken and checkPermissions middleware. This allowed unauthenticated access to chart data across teams/projects. The issue is fixed in versio...

8.7CVSS5.9AI score0.0042EPSS
Web
CVE
CVE
added 2026/03/06 4:7 a.m.22 views

CVE-2026-27005

Chartbrew prior to version 4.8.3 is vulnerable to unauthenticated SQL injection in queries executed against connected databases (MySQL, PostgreSQL). The root cause is arbitrary SQL being injected via user-supplied input in queries, potentially allowing reading, modification, or deletion of data d...

9.8CVSS6AI score0.00513EPSS
CVE
CVE
added 2026/03/06 4:7 a.m.19 views

CVE-2026-25887

Chartbrew is affected prior to version 4.8.1 with a remote code execution vulnerability via the MongoDB dataset Query. The issue, classified as CVSS 3.1 Base Score 7.2 (HIGH), has been patched in version 4.8.1. Affected: Chartbrew

7.2CVSS6.5AI score0.00839EPSS
CVE
CVE
added 2026/04/10 7:15 p.m.19 views

CVE-2026-30232

Chartbrew prior to version 4.8.5 is affected by a Server-Side Request Forgery (SSRF) vulnerability in API data connections. Authenticated users can specify arbitrary URLs and the server fetches them via request-promise without IP address validation, enabling access to internal networks and cloud ...

9.6CVSS5.9AI score0.00242EPSS
CVE
CVE
added 2026/03/06 4:8 a.m.18 views

CVE-2026-27605

CVE-2026-27605 affects Chartbrew before 4.8.4. The app allowed uploading logos without validating file type/content, trusting user-provided extensions and saving files to uploads/ for static serving. An attacker could upload an HTML file with malicious JavaScript, and since authentication tokens ...

6.3CVSS5.8AI score0.00211EPSS
Web
CVE
CVE
added 2026/03/06 4:7 a.m.17 views

CVE-2026-25877

Chartbrew (open-source web app) prior to version 4.8.1 performs authorization checks on chart-related operations using only the project_id, with no authorization on the chart_id itself. This allows an authenticated user who has access to any project to access or manipulate charts belonging to oth...

6.5CVSS5.9AI score0.00286EPSS
CVE
CVE
added 2026/03/06 4:7 a.m.16 views

CVE-2026-25888

CVE-2026-25888 affects Chartbrew, an open‑source web application that can connect to databases and APIs to generate charts. A remote code execution vulnerability exists in versions prior to 4.8.1 through a vulnerable API, enabling an attacker with network access and low privileges, with no user i...

8.8CVSS6.5AI score0.0066EPSS
CVE
CVE
added 2026/04/10 7:17 p.m.13 views

CVE-2026-32252

CVE-2026-32252 – Chartbrew : A cross-tenant authorization bypass exists in GET /team/:team_id/template/generate/:project_id prior to 4.9.0. The handler calls checkAccess(req, "updateAny", "chart") without awaiting the promise and does not verify the project_id belongs to the caller’s team. As a r...

7.7CVSS5.8AI score0.00285EPSS
Web