CVE-2026-25877

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25877

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25877.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25877

Aliases

GHSA-9fcr-x8x8-mrxc

Published

2026-03-06T04:07:01.105Z

Modified

2026-04-10T05:40:48.085321Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Chartbrew: Insecure Direct Object Reference (IDOR) in Chart Operations

Details

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the projectid parameter when handling chart-related operations (update, delete, etc.). No authorization check is performed against the chartid itself. This allows an authenticated user who has access to any project to manipulate or access charts belonging to other users/ project. This issue has been patched in version 4.8.1.

Database specific

{
    "cwe_ids": [
        "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25877.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/chartbrew/chartbrew

Affected ranges

Type: GIT
Repo: https://github.com/chartbrew/chartbrew
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

dcac1cfbf0cd23bb890f3346297d7918a6536259

Affected versions

v1.*

v1.0.0

v1.0.0-beta.1

v1.0.0-beta.1.1

v1.0.0-beta.10

v1.0.0-beta.11

v1.0.0-beta.13

v1.0.0-beta.2

v1.0.0-beta.2.1

v1.0.0-beta.2.2

v1.0.0-beta.2.3

v1.0.0-beta.3

v1.0.0-beta.4

v1.0.0-beta.4.1

v1.0.0-beta.4.2

v1.0.0-beta.5

v1.0.0-beta.5.1

v1.0.0-beta.5.2

v1.0.0-beta.5.4

v1.0.0-beta.5.5

v1.0.0-beta.5.6

v1.0.0-beta.6

v1.0.0-beta.7

v1.0.0-beta.8

v1.0.0-beta.8.1

v1.0.0-beta.9

v1.0.0-beta.9.1

v1.0.0-beta.9.2

v1.0.0-beta.9.3

v1.1.0

v1.1.1

v1.10.0

v1.11.0

v1.11.1

v1.13.0

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.16.0

v1.16.1

v1.16.2

v1.17.0

v1.17.1

v1.17.2

v1.18.0

v1.18.1

v1.19.0

v1.19.1

v1.2.0

v1.20.0

v1.20.1

v1.20.2

v1.21.0

v1.21.1

v1.3.0

v1.3.1

v1.4.0

v1.5.0

v1.5.1

v1.5.3

v1.6.0

v1.6.1

v1.6.2

v1.7.0

v1.7.1

v1.8.0

v1.8.1

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v2.*

v2.0.0

v2.0.0-rc.1

v2.0.0-rc.2

v2.1.0

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v2.5.1

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.8.0

v3.*

v3.0.0

v3.0.0-beta.1

v3.0.0-beta.2

v3.0.0-beta.3

v3.1.0

v3.1.1

v3.10.0

v3.11.0

v3.11.1

v3.12.0

v3.13.0

v3.2.0

v3.2.1

v3.3.0

v3.5.0

v3.5.1

v3.5.2

v3.6.0

v3.7.0

v3.8.0

v3.8.1

v3.8.2

v3.9.0

v4.*

v4.0.0

v4.0.1

v4.1.0

v4.2.0

v4.2.1

v4.3.0

v4.4.0

v4.5.0

v4.6.0

v4.7.0

v4.8.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25877.json"