Chartbrew
Products
1- 15 CVEs
Recent CVEs
15| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-30232 | Cri | 0.55 | 9.6 | 0.00 | Apr 10, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using… | ||
| CVE-2026-40904 | Hig | 0.53 | 8.1 | 0.00 | Apr 30, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead… | ||
| CVE-2026-40600 | Hig | 0.53 | 8.1 | 0.00 | Apr 30, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different… | ||
| CVE-2026-40601 | Hig | 0.49 | 7.5 | 0.00 | Apr 30, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does… | ||
| CVE-2026-40595 | Hig | 0.49 | 7.5 | 0.00 | Apr 30, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level… | ||
| CVE-2026-32252 | Hig | 0.43 | 7.7 | 0.00 | Apr 10, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls… | ||
| CVE-2026-41518 | Hig | 0.42 | 7.6 | 0.00 | Jun 4, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the… | ||
| CVE-2026-40603 | Med | 0.42 | 6.5 | 0.00 | Apr 30, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even… | ||
| CVE-2026-35514 | Med | 0.42 | 6.5 | 0.00 | Apr 30, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker… | ||
| CVE-2026-27605 | 0.00 | — | 0.00 | Mar 6, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project logos) without validating the file type or content. It trusts the extension… | |||
| CVE-2026-27603 | 0.00 | — | 0.00 | Mar 6, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_id/chart/:chart_id/filter is missing both verifyToken and checkPermissions… | |||
| CVE-2026-27005 | 0.00 | — | 0.01 | Mar 6, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew (MySQL,… | |||
| CVE-2026-25888 | 0.00 | — | 0.01 | Mar 6, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1. | |||
| CVE-2026-25887 | 0.00 | — | 0.01 | Mar 6, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has been patched in version 4.8.1. | |||
| CVE-2026-25877 | 0.00 | — | 0.00 | Mar 6, 2026 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the project_id parameter when handling chart-related operations… |
- risk 0.55cvss 9.6epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using…
- risk 0.53cvss 8.1epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead…
- risk 0.53cvss 8.1epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different…
- risk 0.49cvss 7.5epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does…
- risk 0.49cvss 7.5epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level…
- risk 0.43cvss 7.7epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls…
- risk 0.42cvss 7.6epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the…
- risk 0.42cvss 6.5epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even…
- risk 0.42cvss 6.5epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker…
- CVE-2026-27605Mar 6, 2026risk 0.00cvss —epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project logos) without validating the file type or content. It trusts the extension…
- CVE-2026-27603Mar 6, 2026risk 0.00cvss —epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_id/chart/:chart_id/filter is missing both verifyToken and checkPermissions…
- CVE-2026-27005Mar 6, 2026risk 0.00cvss —epss 0.01
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew (MySQL,…
- CVE-2026-25888Mar 6, 2026risk 0.00cvss —epss 0.01
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1.
- CVE-2026-25887Mar 6, 2026risk 0.00cvss —epss 0.01
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has been patched in version 4.8.1.
- CVE-2026-25877Mar 6, 2026risk 0.00cvss —epss 0.00
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the project_id parameter when handling chart-related operations…