Vulnerability Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the project_id parameter when handling chart-related operations (update, delete, etc.). No authorization check is performed against the chart_id itself. This allows an authenticated user who has access to any project to manipulate or access charts belonging to other users/ project. This issue has been patched in version 4.8.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Depomo | Chartbrew | < 4.8.1 |
Related Weaknesses (CWE)
References
- https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1Release Notes
- https://github.com/chartbrew/chartbrew/security/advisories/GHSA-9fcr-x8x8-mrxcExploitVendor Advisory
FAQ
What is CVE-2026-25877?
CVE-2026-25877 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks bas...
How severe is CVE-2026-25877?
CVE-2026-25877 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25877?
Check the references section above for vendor advisories and patch information. Affected products include: Depomo Chartbrew.