CVE-2026-25877
Last modified
CVE-2026-25877 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the project_id parameter when handling chart-related operations (update, delete, etc.). EPSS estimates a 0.29% chance of exploitation in the next 30 days.
Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the project_id parameter when handling chart-related operations (update, delete, etc.). No authorization check is performed against the chart_id itself. This allows an authenticated user who has access to any project to manipulate or access charts belonging to other users/ project. This issue has been patched in version 4.8.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Depomo | Chartbrew | < 4.8.1 |
References
- https://github.com/chartbrew/chartbrew/security/advisories/GHSA-9fcr-x8x8-mrxcExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-25877?
How severe is CVE-2026-25877?
How do I fix CVE-2026-25877?
Are you affected by CVE-2026-25877?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST