216.73.217.80

CVE-2026-40600

· Published 30/04/2026 19:16 · Modified 30/04/2026 20:16

Labels: CVE-2026-40600 2026-04-30CVE-2026-40600CWE-639[email protected]

Essential information

Published
30/04/2026 19:16
Modified
30/04/2026 20:16
Author
Creator
CVSS
8.1 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS metrics

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
chartbrew / chartbrew cpe:2.3:a:chartbrew:chartbrew:4.9.0:*:*:*:*:*:*:*
chartbrew / chartbrew cpe:2.3:a:chartbrew:chartbrew:5.0.0:*:*:*:*:*:*:*

References