Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has been patched in version 4.8.1.
Published: 2026-03-06
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Chartbrew is an open‑source web application that allows users to fetch data from databases and APIs to build charts. A flaw in the MongoDB dataset query handling allowed an attacker to inject arbitrary code that would be executed on the application server. This is a code injection vulnerability, classified as CWE‑94, and could lead to full compromise of the host running the service.

Affected Systems

Versions of Chartbrew prior to 4.8.1 are affected. The fix was released in the 4.8.1 release and all later builds contain the patch. Any deployment using an older build must be upgraded.

Risk and Exploitability

The vulnerability has a high severity rating, with a calculated score of 7.2. The estimated probability that it is currently being exploited is very low, less than one percent, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote, achievable through the web API or dashboard that processes user-supplied MongoDB queries, requiring network access to the Chartbrew instance and the ability to craft a malicious query.

Generated by OpenCVE AI on April 17, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chartbrew to version 4.8.1 or newer to apply the vendor fix.
  • If an immediate upgrade is not feasible, restrict the MongoDB dataset query endpoint to trusted IP ranges or internal networks.
  • Continuously monitor application logs for anomalous query activity, especially patterns that resemble code injection attempts.

Generated by OpenCVE AI on April 17, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Depomo
Depomo chartbrew
CPEs cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*
Vendors & Products Depomo
Depomo chartbrew

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Chartbrew
Chartbrew chartbrew
Vendors & Products Chartbrew
Chartbrew chartbrew

Fri, 06 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has been patched in version 4.8.1.
Title Chartbrew: Remote Code Execution (RCE) via MongoDB Dataset Query
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Chartbrew Chartbrew
Depomo Chartbrew
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:08:48.969Z

Reserved: 2026-02-06T21:08:39.129Z

Link: CVE-2026-25887

cve-icon Vulnrichment

Updated: 2026-03-06T15:58:23.034Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:29.690

Modified: 2026-03-10T14:07:21.357

Link: CVE-2026-25887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses