{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-06T21:08:39.130Z", "datePublished": "2026-03-06T04:07:26.290Z", "dateUpdated": "2026-03-06T16:08:41.728Z"}, "containers": {"cna": {"title": "Chartbrew: Remote Code Execution (RCE) via Vulnerable API", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-875w-45c2-gxq8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-875w-45c2-gxq8"}, {"name": "https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1"}], "affected": [{"vendor": "chartbrew", "product": "chartbrew", "versions": [{"version": "< 4.8.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:07:26.290Z"}, "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1."}], "source": {"advisory": "GHSA-875w-45c2-gxq8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T15:58:19.802680Z", "id": "CVE-2026-25888", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:08:41.728Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T15:58:19.802680Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:58:20.907Z"}}], "cna": {"title": "Chartbrew: Remote Code Execution (RCE) via Vulnerable API", "source": {"advisory": "GHSA-875w-45c2-gxq8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chartbrew", "product": "chartbrew", "versions": [{"status": "affected", "version": "< 4.8.1"}]}], "references": [{"url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-875w-45c2-gxq8", "name": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-875w-45c2-gxq8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1", "name": "https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:07:26.290Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25888", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:08:41.728Z", "dateReserved": "2026-02-06T21:08:39.130Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:07:26.290Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*", "matchCriteriaId": "55A8DB77-A290-400C-B2C5-7D0C7C82F7BE", "versionEndExcluding": "4.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1."}, {"lang": "es", "value": "Chartbrew es una aplicaci\u00f3n web de c\u00f3digo abierto que puede conectarse directamente a bases de datos y API y usar los datos para crear gr\u00e1ficos. Antes de la versi\u00f3n 4.8.1, existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de una API vulnerable. Este problema ha sido parcheado en la versi\u00f3n 4.8.1."}], "id": "CVE-2026-25888", "lastModified": "2026-03-10T14:05:56.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T05:16:29.903", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-875w-45c2-gxq8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.8.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "chartbrew", "source": "cna", "vendor": "chartbrew"}, "product": "chartbrew", "vendor": "chartbrew"}], "analysis": {"en": {"generated_at": "2026-04-16T11:41:15.340846+00:00", "value": {"mitigation_remediation": ["Upgrading to Chartbrew version 4.8.1, which includes the RCE fix, is the definitive remediation.", "Restrict API access to trusted IP ranges or authenticated users to reduce exposure.", "Implement logging and monitoring of API traffic to detect anomalous code execution attempts or unexpected API behavior."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all deployments of Chartbrew prior to version 4.8.1. Installations using any version older than 4.8.1 are susceptible and should be updated as soon as possible.", "description_and_impact": "Chartbrew, an open-source analytics platform, contains a remote code execution flaw discovered in its API. The flaw permits an attacker to inject and execute arbitrary code via the vulnerable endpoint, exposing the server to complete compromise of confidentiality, integrity, and availability. The weakness maps to CWE\u201194, an issue involving unsanitized code execution.", "risk_and_exploitability": "The CVSS v3.1 score of 8.8 marks this a high\u2011risk vulnerability. EPSS indicates the exploitation probability is less than 1%, but the flaw is publicly disclosed and may be used by adversaries with the appropriate API credentials. Chartbrew is not yet listed in the CISA KEV catalog, though the lack of listing does not mitigate the need for immediate action. The likely attack vector is via crafted API calls that accept code payloads, so any exposed API endpoint without proper authentication or input validation can be exploited."}}}}, "created": "2026-03-06T14:55:58.995963+00:00", "updated": "2026-04-16T11:45:26.268909+00:00", "vendors": ["chartbrew", "chartbrew$PRODUCT$chartbrew"]}