Executive Summary

CVE-2026-41518 is a Stored DOM Cross-Site Scripting (XSS) vulnerability in ChartBrew versions 4.9.0 through 5.0.0. An authenticated user with project-editor permissions can inject arbitrary HTML or JavaScript code into the ChartDatasetConfig.legend field. This malicious payload is stored directly in the database without any validation or sanitization.

Later, when an unauthenticated user views a public dashboard, the injected code is rendered in chart tooltips through an unsafe innerHTML assignment in the ChartTooltip.js file. This causes the malicious JavaScript to execute immediately upon page load, without requiring any user interaction like hovering.

The vulnerability affects multiple chart types due to shared tooltip logic and allows full JavaScript execution in the victim's browser.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of anyone viewing the affected public dashboards. This can lead to serious security impacts such as:

• Theft of cookies and session tokens (e.g., JWTs), enabling account hijacking.
• Capture of keystrokes, potentially exposing sensitive information.
• Manipulation of the Document Object Model (DOM), which can alter the displayed content or perform malicious actions.

Because the malicious code executes automatically on page load for all public dashboard viewers, the scope of impact is broad and affects unauthenticated users as well.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the ChartDatasetConfig.legend field contains arbitrary HTML or JavaScript code injected by an authenticated user with project-editor permissions.

One way to verify exploitation is to inspect the tooltip DOM element (#chartjs-tooltip) on public dashboards for injected scripts or HTML payloads such as <img src="x" onerror="alert(document.domain)"> or alert('localhost') firing immediately on page load.

Since the vulnerability involves stored XSS in the database, you can query the database directly for suspicious content in the ChartDatasetConfig.legend field.

• Use a database query to search for suspicious HTML/JavaScript in the legend field, for example (SQL syntax may vary): SELECT legend FROM ChartDatasetConfig WHERE legend LIKE '%<script>%' OR legend LIKE '%onerror=%';
• Use browser developer tools or automated browser testing tools like Playwright to load public dashboards and check if alert dialogs or unexpected scripts execute immediately.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Chartbrew to version 5.0.1 or later, which contains the fix for this stored DOM XSS vulnerability.

Until the upgrade can be applied, restrict project-editor permissions to trusted users only, as only authenticated users with these permissions can inject malicious payloads.

Consider reviewing and sanitizing existing data in the ChartDatasetConfig.legend field to remove any malicious HTML or JavaScript payloads.

Avoid exposing public dashboards to unauthenticated users if possible, or implement additional access controls to limit exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user to inject arbitrary JavaScript into public dashboards, which executes in the browsers of unauthenticated viewers. This can lead to actions such as cookie theft, JWT exfiltration, keystroke capture, and DOM manipulation.

Such unauthorized access and exfiltration of sensitive data could potentially violate data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, the presence of this vulnerability may compromise compliance with these standards by exposing user data to attackers through cross-site scripting attacks.

Useful 0 Not Useful 0