CVE-2026-41518

HIGH 7.6

Chartbrew has a stored DOM XSS via Chart Tooltip innerHTML (ChartDatasetConfig.legend)

CVSS Score

7.6

EPSS Score

0.0%

EPSS Percentile

10th

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the `ChartDatasetConfig.legend` field. The payload is persisted verbatim in the database, propagated through the Chart.js rendering pipeline, and injected into the tooltip DOM element via an unguarded `innerHTML` assignment in `ChartTooltip.js`. Every unauthenticated viewer of the public dashboard triggers JavaScript execution on page load — no hover interaction is required. Browser-based Playwright verification confirmed `alert('localhost')` fires immediately and `<img src="x" onerror="alert(document.domain)">` is present in the `#chartjs-tooltip` DOM element. Version 5.0.1 contains a fix.

CWE	CWE-79
Vendor	chartbrew
Product	chartbrew
Published	Jun 4, 2026
Last Updated	Jun 5, 2026

Stay Ahead of the Next One

Get instant alerts for chartbrew chartbrew

Be the first to know when new high vulnerabilities affecting chartbrew chartbrew are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

chartbrew / chartbrew

>= 4.9.0, < 5.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/chartbrew/chartbrew/security/advisories/GHSA-6q2j-365c-7gqf