CVE-2026-25887
Remote Code Execution in Chartbrew MongoDB Dataset Query
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| depomo | chartbrew | to 4.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25887 is a high-severity Remote Code Execution (RCE) vulnerability in the Chartbrew web application, specifically affecting version 4.8.0 and fixed in 4.8.1.
The vulnerability arises because the application uses the JavaScript Function() constructor with unsanitized user input in the runMongo function. This allows an attacker who is logged into the application to inject malicious code into the MongoDB dataset query interface.
By submitting specially crafted query payloads, an attacker can execute arbitrary shell commands on the server, gaining full server-side code execution privileges within the Node.js process context.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability can lead to complete system compromise.
- Reading sensitive files such as source code, configuration files, and secrets.
- Installing persistent malware on the server.
- Lateral movement to internal systems.
- Exfiltrating data from MongoDB and other connected databases.
- Performing unauthorized crypto-mining.
- Completely destroying the environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to data breaches and unauthorized access to sensitive information, which may result in violations of regulations such as GDPR and PDPO.
Such regulatory violations can cause legal consequences and long-term reputational damage for affected organizations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Chartbrew installation is running a vulnerable version (4.8.0 or earlier) and by monitoring for suspicious MongoDB dataset queries that include injected JavaScript payloads.'}, {'type': 'paragraph', 'content': "One way to detect exploitation attempts is to look for unusual queries in the MongoDB dataset query interface that contain JavaScript Function() constructor calls or payloads similar to the example: version + (function(){{ try {{ const r = global.process.mainModule.require('child_process'); return r.execSync('uname -a').toString(); }} catch(e) {{ return e.toString(); }} }})()"}, {'type': 'paragraph', 'content': 'You can also check the version of Chartbrew installed by running commands like:'}, {'type': 'list_item', 'content': 'npm list chartbrew'}, {'type': 'list_item', 'content': 'cat package.json | grep chartbrew'}, {'type': 'paragraph', 'content': 'Additionally, monitoring server logs for unexpected execution of shell commands or unusual activity in the Node.js process may help detect exploitation.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Chartbrew to version 4.8.1 or later, where the issue has been patched.
Until the upgrade can be applied, restrict access to the application to trusted users only, since exploitation requires the attacker to be logged in.
Additionally, review and sanitize any MongoDB dataset queries to prevent injection of malicious JavaScript code.
Monitor your system for signs of compromise such as unexpected processes, unusual network activity, or unauthorized data access.