CVE-2026-40595

HIGH EPSS 19.2%

Published Apr 30, 20262mo ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Apr 30, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. The routes do not verify whether the target chart is actually allowed on the public report or whether the governing SharePolicy permits public access. An unauthenticated attacker who knows a chart identifier in a public project can read or export chart data for charts that were intentionally hidden from the report. This issue has been patched in version 5.0.0.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

19.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-284

References 2

github.com https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0
github.com https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mq7q-6xh6-5649

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.