Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew (MySQL, PostgreSQL). This allows reading, modifying, or deleting data in those databases depending on the database user's privileges. This issue has been patched in version 4.8.3.
Published: 2026-03-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary SQL injection affecting database contents
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a classic SQL injection flaw in the date‑type variable handling within the applyMysqlOrPostgresVariables function. An attacker can input unsanitized variables that are directly interpolated into dynamic queries, allowing the execution of arbitrary SQL. Depending on the privileges of the database user configured in Chartbrew, the attacker could read sensitive data, modify records, or delete entire tables, compromising confidentiality, integrity, and availability.

Affected Systems

All deployments of Chartbrew running any release earlier than v4.8.3 are affected. Versions 4.8.3 and later contain the fix and are therefore not vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, reflecting the potential for an attacker to gain elevated database privileges or compromise data integrity. The EPSS score of less than 1 % suggests that exploitation is currently uncommon, yet the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote, as the flaw can be triggered by unauthenticated actors submitting unsanitized input to the application. An attacker who exploits this flaw can execute arbitrary SQL against any database that Chartbrew connects to, leading to data disclosure, modification, or deletion.

Generated by OpenCVE AI on April 17, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chartbrew to version 4.8.3 or later to apply the official patch.
  • Restrict the database credentials that Chartbrew uses to the minimum privileges required for its operation, ideally read‑only if write access is not needed.
  • Limit external exposure of the Chartbrew instance by placing it behind a firewall, VPN, or authentication gateway until the upgrade is complete.

Generated by OpenCVE AI on April 17, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Depomo
Depomo chartbrew
CPEs cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*
Vendors & Products Depomo
Depomo chartbrew
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Chartbrew
Chartbrew chartbrew
Vendors & Products Chartbrew
Chartbrew chartbrew

Fri, 06 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew (MySQL, PostgreSQL). This allows reading, modifying, or deleting data in those databases depending on the database user's privileges. This issue has been patched in version 4.8.3.
Title Chartbrew: SQL injection in date-type variable handling (applyMysqlOrPostgresVariables)
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Chartbrew Chartbrew
Depomo Chartbrew
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:08:32.294Z

Reserved: 2026-02-17T03:08:23.489Z

Link: CVE-2026-27005

cve-icon Vulnrichment

Updated: 2026-03-06T16:00:26.353Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:30.367

Modified: 2026-03-10T14:04:01.353

Link: CVE-2026-27005

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses