CVE-2026-25887
Received Received - Intake

Remote Code Execution in Chartbrew MongoDB Dataset Query

Vulnerability report for CVE-2026-25887, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-06

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has been patched in version 4.8.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-06
Last Modified
2026-03-10
Generated
2026-07-06
AI Q&A
2026-03-06
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
depomo chartbrew to 4.8.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-25887 is a high-severity Remote Code Execution (RCE) vulnerability in the Chartbrew web application, specifically affecting version 4.8.0 and fixed in 4.8.1.

The vulnerability arises because the application uses the JavaScript Function() constructor with unsanitized user input in the runMongo function. This allows an attacker who is logged into the application to inject malicious code into the MongoDB dataset query interface.

By submitting specially crafted query payloads, an attacker can execute arbitrary shell commands on the server, gaining full server-side code execution privileges within the Node.js process context.

Impact Analysis

Successful exploitation of this vulnerability can lead to complete system compromise.

  • Reading sensitive files such as source code, configuration files, and secrets.
  • Installing persistent malware on the server.
  • Lateral movement to internal systems.
  • Exfiltrating data from MongoDB and other connected databases.
  • Performing unauthorized crypto-mining.
  • Completely destroying the environment.
Compliance Impact

This vulnerability can lead to data breaches and unauthorized access to sensitive information, which may result in violations of regulations such as GDPR and PDPO.

Such regulatory violations can cause legal consequences and long-term reputational damage for affected organizations.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Chartbrew installation is running a vulnerable version (4.8.0 or earlier) and by monitoring for suspicious MongoDB dataset queries that include injected JavaScript payloads.'}, {'type': 'paragraph', 'content': "One way to detect exploitation attempts is to look for unusual queries in the MongoDB dataset query interface that contain JavaScript Function() constructor calls or payloads similar to the example: version + (function(){{ try {{ const r = global.process.mainModule.require('child_process'); return r.execSync('uname -a').toString(); }} catch(e) {{ return e.toString(); }} }})()"}, {'type': 'paragraph', 'content': 'You can also check the version of Chartbrew installed by running commands like:'}, {'type': 'list_item', 'content': 'npm list chartbrew'}, {'type': 'list_item', 'content': 'cat package.json | grep chartbrew'}, {'type': 'paragraph', 'content': 'Additionally, monitoring server logs for unexpected execution of shell commands or unusual activity in the Node.js process may help detect exploitation.'}] [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Chartbrew to version 4.8.1 or later, where the issue has been patched.

Until the upgrade can be applied, restrict access to the application to trusted users only, since exploitation requires the attacker to be logged in.

Additionally, review and sanitize any MongoDB dataset queries to prevent injection of malicious JavaScript code.

Monitor your system for signs of compromise such as unexpected processes, unusual network activity, or unauthorized data access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart