VYPR

Chartbrew

by Chartbrew

Source repositories

CVEs (15)

  • CVE-2026-30232CriApr 10, 2026
    risk 0.55cvss 9.6epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using…

  • CVE-2026-40904HigApr 30, 2026
    risk 0.53cvss 8.1epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead…

  • CVE-2026-40600HigApr 30, 2026
    risk 0.53cvss 8.1epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different…

  • CVE-2026-40601HigApr 30, 2026
    risk 0.49cvss 7.5epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does…

  • CVE-2026-40595HigApr 30, 2026
    risk 0.49cvss 7.5epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level…

  • CVE-2026-32252HigApr 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls…

  • CVE-2026-41518HigJun 4, 2026
    risk 0.42cvss 7.6epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the…

  • CVE-2026-40603MedApr 30, 2026
    risk 0.42cvss 6.5epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even…

  • CVE-2026-35514MedApr 30, 2026
    risk 0.42cvss 6.5epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker…

  • CVE-2026-27605Mar 6, 2026
    risk 0.00cvss epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project logos) without validating the file type or content. It trusts the extension…

  • CVE-2026-27603Mar 6, 2026
    risk 0.00cvss epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_id/chart/:chart_id/filter is missing both verifyToken and checkPermissions…

  • CVE-2026-27005Mar 6, 2026
    risk 0.00cvss epss 0.01

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew (MySQL,…

  • CVE-2026-25888Mar 6, 2026
    risk 0.00cvss epss 0.01

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1.

  • CVE-2026-25887Mar 6, 2026
    risk 0.00cvss epss 0.01

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has been patched in version 4.8.1.

  • CVE-2026-25877Mar 6, 2026
    risk 0.00cvss epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the project_id parameter when handling chart-related operations…