Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project logos) without validating the file type or content. It trusts the extension provided by the user. These files are saved to the uploads/ directory and served statically. An attacker can upload an HTML file containing malicious JavaScript. Since authentication tokens are likely stored in localStorage (as they are returned in the API body), this XSS can lead to account takeover. This issue has been patched in version 4.8.4.
Published: 2026-03-06
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that enables account takeover by executing arbitrary JavaScript in a user’s browser
Action: Patch Immediately
AI Analysis

Impact

Chartbrew’s file upload API accepts any file based solely on its extension and stores it in a publicly served uploads directory. The lack of MIME type or content validation permits an attacker to upload an HTML file containing malicious script. When that file is served, the embedded JavaScript runs in the context of the site, potentially accessing authentication tokens stored in localStorage and leading to user account compromise.

Affected Systems

All installations of Chartbrew built before version 4.8.4 are vulnerable. The issue is fixed in Chartbrew 4.8.4 and later releases.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.3, indicating moderate severity, and an EPSS score of less than 1%, meaning the probability of exploitation is low. It is not listed in the CISA KEV catalog. The likely attack vector is a legitimate API call to the file upload endpoint, where an attacker can supply a crafted HTML file that is subsequently served without filtering, enabling stored XSS.

Generated by OpenCVE AI on April 17, 2026 at 12:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to Chartbrew version 4.8.4 or later, which validates uploaded file types.
  • If an upgrade is not immediately feasible, configure the server to reject uploads that are not legitimate image MIME types (e.g., image/png, image/jpeg) and validate the file’s content before saving.
  • Move or remove the shared uploads directory from the static public path, serving files through a controlled endpoint that sanitizes output or sets proper content‑disposition headers.

Generated by OpenCVE AI on April 17, 2026 at 12:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Depomo
Depomo chartbrew
CPEs cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*
Vendors & Products Depomo
Depomo chartbrew

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Chartbrew
Chartbrew chartbrew
Vendors & Products Chartbrew
Chartbrew chartbrew

Fri, 06 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project logos) without validating the file type or content. It trusts the extension provided by the user. These files are saved to the uploads/ directory and served statically. An attacker can upload an HTML file containing malicious JavaScript. Since authentication tokens are likely stored in localStorage (as they are returned in the API body), this XSS can lead to account takeover. This issue has been patched in version 4.8.4.
Title Chartbrew: Stored Cross-Site Scripting (XSS) via File Upload API
Weaknesses CWE-434
CWE-79
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N'}

Subscriptions

Chartbrew Chartbrew
Depomo Chartbrew
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:08:17.112Z

Reserved: 2026-02-20T19:43:14.602Z

Link: CVE-2026-27605

cve-icon Vulnrichment

Updated: 2026-03-06T15:50:40.602Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:31.243

Modified: 2026-03-10T14:01:09.233

Link: CVE-2026-27605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses