Skip to main content

Chartbrew CVE-2026-41518

| EUVDEUVD-2026-34319 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-04 security-advisories@github.com
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 04, 2026 - 22:01 EUVD
Analysis Generated
Jun 04, 2026 - 20:32 vuln.today

DescriptionGitHub Advisory

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The payload is persisted verbatim in the database, propagated through the Chart.js rendering pipeline, and injected into the tooltip DOM element via an unguarded innerHTML assignment in ChartTooltip.js. Every unauthenticated viewer of the public dashboard triggers JavaScript execution on page load - no hover interaction is required. Browser-based Playwright verification confirmed alert('localhost') fires immediately and <img src="x" onerror="alert(document.domain)"> is present in the #chartjs-tooltip DOM element. Version 5.0.1 contains a fix.

AnalysisAI

Stored cross-site scripting in Chartbrew 4.9.0 through 5.0.0 lets a project-editor inject HTML/JavaScript into the ChartDatasetConfig.legend field, which is later rendered into the chart tooltip DOM via an unguarded innerHTML sink in ChartTooltip.js. Every unauthenticated viewer of a public dashboard executes the attacker payload on page load with no hover interaction required, and no public exploit is identified at time of analysis beyond the proof-of-concept payloads documented in the GitHub Security Advisory. Version 5.0.1 contains the fix.

Technical ContextAI

Chartbrew is an open-source Node.js/React web application that connects to databases and APIs to build dashboards using the Chart.js rendering library. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation) realized as a stored XSS: tainted data from the ChartDatasetConfig.legend field is persisted verbatim to the database, threaded through the Chart.js rendering pipeline, and finally written to the #chartjs-tooltip DOM element using innerHTML inside ChartTooltip.js. Because innerHTML parses HTML rather than escaping it, payloads such as <img src="x" onerror="..."> are activated by the browser as the tooltip element is constructed, before any user interaction occurs.

RemediationAI

Vendor-released patch: upgrade Chartbrew to version 5.0.1 or later, which corrects the unsafe innerHTML assignment in ChartTooltip.js (see https://github.com/chartbrew/chartbrew/security/advisories/GHSA-6q2j-365c-7gqf). If immediate upgrade is not possible, compensating controls include unpublishing or access-restricting any public dashboards (which eliminates the unauthenticated victim surface but removes the public-sharing feature), tightening project-editor role assignments to trusted users only (reduces who can plant a payload but does not stop already-stored payloads from firing), auditing existing ChartDatasetConfig.legend values in the database for HTML/script content and sanitizing or clearing them, and deploying a strict Content-Security-Policy on the Chartbrew origin that forbids inline script execution (which can break legitimate inline handlers in the UI and should be tested in staging first).

Share

CVE-2026-41518 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy