CVE-2026-41518
Received Received - Intake
Stored XSS in Chartbrew Dashboard via ChartDatasetConfig

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the `ChartDatasetConfig.legend` field. The payload is persisted verbatim in the database, propagated through the Chart.js rendering pipeline, and injected into the tooltip DOM element via an unguarded `innerHTML` assignment in `ChartTooltip.js`. Every unauthenticated viewer of the public dashboard triggers JavaScript execution on page load β€” no hover interaction is required. Browser-based Playwright verification confirmed `alert('localhost')` fires immediately and `<img src="x" onerror="alert(document.domain)">` is present in the `#chartjs-tooltip` DOM element. Version 5.0.1 contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-05
AI Q&A
2026-06-04
EPSS Evaluated
N/A
NVD
CVE-2026-41518
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
chartbrew chartbrew From 4.9.0 (inc) to 5.0.0 (inc)
chartbrew chartbrew 5.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-41518 is a Stored DOM Cross-Site Scripting (XSS) vulnerability in ChartBrew versions 4.9.0 through 5.0.0. An authenticated user with project-editor permissions can inject arbitrary HTML or JavaScript code into the ChartDatasetConfig.legend field. This malicious payload is stored directly in the database without any validation or sanitization.

Later, when an unauthenticated user views a public dashboard, the injected code is rendered in chart tooltips through an unsafe innerHTML assignment in the ChartTooltip.js file. This causes the malicious JavaScript to execute immediately upon page load, without requiring any user interaction like hovering.

The vulnerability affects multiple chart types due to shared tooltip logic and allows full JavaScript execution in the victim's browser.


How can this vulnerability impact me? :

Exploitation of this vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of anyone viewing the affected public dashboards. This can lead to serious security impacts such as:

  • Theft of cookies and session tokens (e.g., JWTs), enabling account hijacking.
  • Capture of keystrokes, potentially exposing sensitive information.
  • Manipulation of the Document Object Model (DOM), which can alter the displayed content or perform malicious actions.

Because the malicious code executes automatically on page load for all public dashboard viewers, the scope of impact is broad and affects unauthenticated users as well.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the ChartDatasetConfig.legend field contains arbitrary HTML or JavaScript code injected by an authenticated user with project-editor permissions.

One way to verify exploitation is to inspect the tooltip DOM element (#chartjs-tooltip) on public dashboards for injected scripts or HTML payloads such as <img src="x" onerror="alert(document.domain)"> or alert('localhost') firing immediately on page load.

Since the vulnerability involves stored XSS in the database, you can query the database directly for suspicious content in the ChartDatasetConfig.legend field.

  • Use a database query to search for suspicious HTML/JavaScript in the legend field, for example (SQL syntax may vary): SELECT legend FROM ChartDatasetConfig WHERE legend LIKE '%<script>%' OR legend LIKE '%onerror=%';
  • Use browser developer tools or automated browser testing tools like Playwright to load public dashboards and check if alert dialogs or unexpected scripts execute immediately.

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Chartbrew to version 5.0.1 or later, which contains the fix for this stored DOM XSS vulnerability.

Until the upgrade can be applied, restrict project-editor permissions to trusted users only, as only authenticated users with these permissions can inject malicious payloads.

Consider reviewing and sanitizing existing data in the ChartDatasetConfig.legend field to remove any malicious HTML or JavaScript payloads.

Avoid exposing public dashboards to unauthenticated users if possible, or implement additional access controls to limit exposure.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an authenticated user to inject arbitrary JavaScript into public dashboards, which executes in the browsers of unauthenticated viewers. This can lead to actions such as cookie theft, JWT exfiltration, keystroke capture, and DOM manipulation.

Such unauthorized access and exfiltration of sensitive data could potentially violate data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, the presence of this vulnerability may compromise compliance with these standards by exposing user data to attackers through cross-site scripting attacks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart