HIGH 7.6

CVE-2026-41518: Chartbrew Stored XSS in Chart Legend (Versions 4.9.0–5.0.0)

Chartbrew, an open-source data visualization platform, contains a stored cross-site scripting (XSS) vulnerability affecting versions 4.9.0 through 5.0.0. A project editor can inject malicious HTML and JavaScript into chart legend fields, which is then executed in the browsers of anyone viewing the public dashboard—including unauthenticated users—without requiring any user interaction. This allows an attacker to steal sensitive data, hijack user sessions, or perform actions on behalf of viewers.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the `ChartDatasetConfig.legend` field. The payload is persisted verbatim in the database, propagated through the Chart.js rendering pipeline, and injected into the tooltip DOM element via an unguarded `innerHTML` assignment in `ChartTooltip.js`. Every unauthenticated viewer of the public dashboard triggers JavaScript execution on page load — no hover interaction is required. Browser-based Playwright verification confirmed `alert('localhost')` fires immediately and `<img src="x" onerror="alert(document.domain)">` is present in the `#chartjs-tooltip` DOM element. Version 5.0.1 contains a fix.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper sanitization in the Chart.js tooltip rendering pipeline. Specifically, the `ChartTooltip.js` component uses an unguarded `innerHTML` assignment to populate tooltip DOM elements with content sourced from the `ChartDatasetConfig.legend` field. An authenticated user with project-editor permissions can store arbitrary HTML and JavaScript payloads in this field; the payload persists in the database and is injected verbatim into the tooltip DOM on page render. Verification testing demonstrates that JavaScript executes immediately upon dashboard load for all viewers, regardless of authentication status or user interaction.

Business impact

Organizations using Chartbrew to share public dashboards face significant risk. Attackers with project-editor access can compromise dashboard viewers' browsers, enabling credential theft, malware injection, or unauthorized API calls to backend systems connected to the Chartbrew instance. Since execution occurs on page load for unauthenticated users, any individual with the public dashboard URL is vulnerable. For organizations sharing dashboards with external partners or customers, the reputational and legal implications of a compromise could be severe.

Affected systems

Chartbrew versions 4.9.0 through 5.0.0 are affected. The vulnerability requires an authenticated user with project-editor permissions to introduce the payload, meaning internal users, contractors, or compromised accounts with editor access pose the primary threat vector. Version 5.0.1 and later contain the remediation.

Exploitability

The attack is relatively straightforward to execute: an attacker with project-editor privileges inputs a malicious script into the legend field and saves the configuration. No user interaction is needed; the payload fires automatically when any viewer loads the dashboard. The low complexity, lack of user interaction requirement, and network-accessible nature of public dashboards make this vulnerability moderately easy to weaponize in real-world scenarios. However, the prerequisite of project-editor access (or account compromise) provides a partial control boundary.

Remediation

Upgrade to Chartbrew version 5.0.1 or later, which includes fixes to sanitize legend field input and prevents innerHTML injection. If immediate patching is not feasible, restrict project-editor role assignments to trusted users only, limit public dashboard sharing, and review dashboard access logs for suspicious modifications to chart configurations.

Patch guidance

Apply version 5.0.1 or any later release through your package manager or by rebuilding from the updated source repository. Verify the patch is deployed by confirming the version string in the application UI and reviewing the Chart.js tooltip rendering code to ensure innerHTML is no longer used for untrusted input. Test public dashboard functionality after patching to confirm charts render correctly.

Detection guidance

Examine the `ChartDatasetConfig.legend` field in your Chartbrew database for HTML tags, script elements, or event handler attributes (e.g., `onerror=`, `onclick=`). Review access logs for project-editor role assignments and recent modifications to chart configurations by unexpected users. Monitor for JavaScript console errors or unusual network requests originating from dashboard viewers' browsers. If using a web application firewall or content security policy, log and alert on inline script execution attempts within dashboard contexts.

Why prioritize this

This vulnerability merits prompt attention because it enables cross-site scripting attacks against all public dashboard viewers without requiring user interaction. The HIGH CVSS score (7.6) reflects the high confidentiality impact, cross-site scope, and relatively easy exploitation path for authorized users. While not in CISA's KEV catalog, the combination of low barriers to execution and potential for widespread impact across dashboard audiences warrants prioritization within your patching schedule—particularly if your organization hosts or shares Chartbrew dashboards with external parties.

Risk score, explained

The CVSS 3.1 score of 7.6 (HIGH) is driven by: high confidentiality impact (user sessions, data in page context), low integrity impact (ability to modify displayed content or inject redirects), no availability impact, network-accessible attack vector, low attack complexity, and requirement for prior authentication with project-editor role. The cross-site scope multiplier elevates the severity because attacks propagate to unauthenticated viewers beyond the application boundary. However, the authenticated prerequisite prevents a 'Critical' rating.

Frequently asked questions

Do attackers need to interact with the dashboard to trigger the payload?

No. The malicious JavaScript executes automatically when the page loads, before any user hover or click interaction occurs. Every viewer of a compromised public dashboard is affected immediately upon visiting the URL.

Does this vulnerability affect private dashboards?

Yes. Any dashboard—public or private—is vulnerable if the viewer's browser receives and renders the chart. However, private dashboards limit the attack surface to authenticated users with access. Public dashboards expose the vulnerability to anyone with the URL.

Can this vulnerability be exploited without project-editor permissions?

No. Exploitation requires an authenticated user with project-editor role to store the payload in the legend field. However, if an attacker compromises an editor account or if an insider has malicious intent, the attack is trivial to execute.

What should I do if I suspect a dashboard has been compromised?

Immediately take the dashboard offline or restrict access, review the chart configurations for suspicious HTML or scripts in legend fields, audit project-editor role assignments, reset credentials for affected users, and check browser logs of viewers for unexpected script execution or network requests.

This analysis is based on the published vulnerability record and vendor advisories current as of the modification date. Organizations should verify patch availability and compatibility with their deployment before applying updates. No warranty is provided regarding the completeness or currency of this analysis. Always consult official vendor security advisories and test patches in non-production environments prior to production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).