Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1.
Published: 2026-03-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

Chartbrew, an open-source analytics platform, contains a remote code execution flaw discovered in its API. The flaw permits an attacker to inject and execute arbitrary code via the vulnerable endpoint, exposing the server to complete compromise of confidentiality, integrity, and availability. The weakness maps to CWE‑94, an issue involving unsanitized code execution.

Affected Systems

The vulnerability affects all deployments of Chartbrew prior to version 4.8.1. Installations using any version older than 4.8.1 are susceptible and should be updated as soon as possible.

Risk and Exploitability

The CVSS v3.1 score of 8.8 marks this a high‑risk vulnerability. EPSS indicates the exploitation probability is less than 1%, but the flaw is publicly disclosed and may be used by adversaries with the appropriate API credentials. Chartbrew is not yet listed in the CISA KEV catalog, though the lack of listing does not mitigate the need for immediate action. The likely attack vector is via crafted API calls that accept code payloads, so any exposed API endpoint without proper authentication or input validation can be exploited.

Generated by OpenCVE AI on April 16, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrading to Chartbrew version 4.8.1, which includes the RCE fix, is the definitive remediation.
  • Restrict API access to trusted IP ranges or authenticated users to reduce exposure.
  • Implement logging and monitoring of API traffic to detect anomalous code execution attempts or unexpected API behavior.

Generated by OpenCVE AI on April 16, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Depomo
Depomo chartbrew
CPEs cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*
Vendors & Products Depomo
Depomo chartbrew

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Chartbrew
Chartbrew chartbrew
Vendors & Products Chartbrew
Chartbrew chartbrew

Fri, 06 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1.
Title Chartbrew: Remote Code Execution (RCE) via Vulnerable API
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Chartbrew Chartbrew
Depomo Chartbrew
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:08:41.728Z

Reserved: 2026-02-06T21:08:39.130Z

Link: CVE-2026-25888

cve-icon Vulnrichment

Updated: 2026-03-06T15:58:20.907Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:29.903

Modified: 2026-03-10T14:05:56.753

Link: CVE-2026-25888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses