CVE-2026-25888
Received Received - Intake
Remote Code Execution in Chartbrew API Before

Publication date: 2026-03-06

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25888
EUVD
EUVD-2026-9977
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
depomo chartbrew to 4.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25888 is a high-severity Remote Code Execution (RCE) vulnerability in the open-source npm package Chartbrew version 4.8.0, patched in 4.8.1.

The vulnerability exists because the application uses the JavaScript Function() constructor with unsanitized user input in the testMongoQuery function inside ChartController.js.

An attacker who authenticates to the application can exploit the vulnerable API endpoint /project/[project id]/chart/test by injecting malicious code that executes arbitrary operating system commands on the server.

This allows the attacker to run OS commands, read or write files including sensitive data like source code, configuration files, secrets, and private keys, dump credentials and environment variables, exfiltrate or destroy data, install backdoors, pivot within internal networks, or disable the service.

The root cause is improper control of code generation (CWE-94), where externally influenced input is used to construct code without proper sanitization.

Impact Analysis

Exploitation of this vulnerability can lead to complete system compromise.

  • Attackers can execute arbitrary operating system commands on the server.
  • They can read, modify, or delete sensitive files including source code, configuration files, secrets, and private keys.
  • Credentials and environment variables can be dumped and exfiltrated.
  • Data from MongoDB and other connected systems can be stolen or destroyed.
  • Attackers can install backdoors and pivot within internal networks.
  • The service can be disabled, causing availability issues.

Overall, this can result in large-scale data breaches, supply-chain attacks, and severe regulatory and financial consequences.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious API calls to the vulnerable endpoint `/project/[project id]/chart/test` in Chartbrew versions prior to 4.8.1. Specifically, look for unusual payloads that attempt to execute code via the JavaScript Function() constructor.'}, {'type': 'paragraph', 'content': "Since exploitation requires authentication and involves the use of the 'Connection' feature to obtain a MongoDB connection ID, monitoring authenticated requests to this feature and the vulnerable API endpoint is important."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can search application logs or network traffic for requests containing suspicious payloads similar to the example payload that executes OS commands, such as those containing `Function()` calls or attempts to run commands like `whoami`.'}, {'type': 'list_item', 'content': 'Check access logs or API logs for POST requests to `/project/[project id]/chart/test` with unusual payloads.'}, {'type': 'list_item', 'content': 'Use grep or similar tools on server logs to find occurrences of `Function(` or suspicious JavaScript code in request bodies.'}, {'type': 'list_item', 'content': "Example command to search logs for suspicious payloads: `grep -r 'Function(' /path/to/chartbrew/logs/`"}, {'type': 'list_item', 'content': 'Monitor for unexpected child process executions or unusual system commands in server logs or via system monitoring tools.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation is to upgrade Chartbrew to version 4.8.1 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'Until the upgrade can be performed, restrict access to the vulnerable API endpoint `/project/[project id]/chart/test` by limiting authentication and network access to trusted users only.'}, {'type': 'paragraph', 'content': "Monitor and audit logs for any signs of exploitation attempts and consider temporarily disabling the 'Connection' feature if possible to reduce attack surface."}, {'type': 'paragraph', 'content': 'Apply network-level protections such as firewall rules or API gateways to block or inspect suspicious requests targeting the vulnerable endpoint.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25888. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart