PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41518 chartbrew CVE debrief

CVE-2026-41518 is a stored cross-site scripting (XSS) vulnerability affecting Chartbrew, an open-source web application used for connecting to databases and APIs to create charts. The vulnerability exists in versions 4.9.0 through 5.0.0. An authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the `ChartDatasetConfig.legend` field. This payload is persisted in the database and injected into the tooltip DOM element via an unguarded `innerHTML` assignment in `ChartTooltip.js`. Consequently, every unauthenticated viewer of the public dashboard triggers JavaScript execution on page load without requiring any hover interaction. The CVSS score for this vulnerability is 7.6, indicating a high severity. A fix for this vulnerability is available in version 5.0.1.

Vendor
chartbrew
Product
Unknown
CVSS
HIGH 7.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-05
Advisory published
2026-06-04
Advisory updated
2026-06-05

Who should care

Users of Chartbrew, especially those with project-editor permissions, and administrators of Chartbrew installations should be aware of this vulnerability. They should assess their exposure and take steps to mitigate the risk, particularly by updating to version 5.0.1 or applying appropriate patches.

Technical summary

The vulnerability allows an authenticated user with project-editor permissions to inject arbitrary HTML/JavaScript into the `ChartDatasetConfig.legend` field. This input is not properly sanitized and is executed in the context of unauthenticated users viewing the public dashboard. The exploitation does not require user interaction beyond loading the page.

Defensive priority

High

Recommended defensive actions

  • Update Chartbrew to version 5.0.1 or later.
  • Restrict project-editor permissions to trusted users.
  • Monitor dashboard usage for suspicious activity.

Evidence notes

The CVE-2026-41518 record and associated details were obtained from official sources, including the National Vulnerability Database (NVD) and GitHub security advisories. Browser-based Playwright verification confirmed the execution of JavaScript payloads, such as `alert('localhost')`, without requiring user interaction.

Official resources

CVE-2026-41518 was published on 2026-06-04T20:16:57.960Z and modified on 2026-06-05T20:17:31.547Z.