CVE-2026-27005

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27005

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27005.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27005

Aliases

GHSA-w5rh-v333-qq6c

Published

2026-03-06T04:07:36.324Z

Modified

2026-03-14T02:00:01.675369Z

Severity

8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Chartbrew: SQL injection in date-type variable handling (applyMysqlOrPostgresVariables)

Details

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew (MySQL, PostgreSQL). This allows reading, modifying, or deleting data in those databases depending on the database user's privileges. This issue has been patched in version 4.8.3.

Database specific

{
    "cwe_ids": [
        "CWE-89"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27005.json"
}

References

Affected packages

Git / github.com/chartbrew/chartbrew

Affected ranges

Type: GIT
Repo: https://github.com/chartbrew/chartbrew
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c7e1b4050fbd60add25934bf48e69fed83db9778

Affected versions

v1.*

v1.0.0

v1.0.0-beta.1

v1.0.0-beta.1.1

v1.0.0-beta.10

v1.0.0-beta.11

v1.0.0-beta.12

v1.0.0-beta.13

v1.0.0-beta.2

v1.0.0-beta.2.1

v1.0.0-beta.2.2

v1.0.0-beta.2.3

v1.0.0-beta.3

v1.0.0-beta.4

v1.0.0-beta.4.1

v1.0.0-beta.4.2

v1.0.0-beta.5

v1.0.0-beta.5.1

v1.0.0-beta.5.2

v1.0.0-beta.5.3

v1.0.0-beta.5.4

v1.0.0-beta.5.5

v1.0.0-beta.5.6

v1.0.0-beta.6

v1.0.0-beta.7

v1.0.0-beta.8

v1.0.0-beta.8.1

v1.0.0-beta.9

v1.0.0-beta.9.1

v1.0.0-beta.9.2

v1.0.0-beta.9.3

v1.1.0

v1.1.1

v1.10.0

v1.11.0

v1.11.1

v1.11.2

v1.11.3

v1.12.0

v1.13.0

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.16.0

v1.16.1

v1.16.2

v1.17.0

v1.17.1

v1.17.2

v1.18.0

v1.18.1

v1.19.0

v1.19.1

v1.19.2

v1.2.0

v1.20.0

v1.20.1

v1.20.2

v1.21.0

v1.21.1

v1.22.0

v1.22.1

v1.23.0

v1.24.0

v1.3.0

v1.3.1

v1.4.0

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.6.0

v1.6.1

v1.6.2

v1.7.0

v1.7.1

v1.8.0

v1.8.1

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v2.*

v2.0.0

v2.0.0-rc.1

v2.0.0-rc.2

v2.1.0

v2.10.0

v2.11.0

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v2.5.1

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.8.0

v2.9.0

v3.*

v3.0.0

v3.0.0-beta.1

v3.0.0-beta.2

v3.0.0-beta.3

v3.1.0

v3.1.1

v3.10.0

v3.11.0

v3.11.1

v3.12.0

v3.13.0

v3.2.0

v3.2.1

v3.3.0

v3.4.0

v3.5.0

v3.5.1

v3.5.2

v3.6.0

v3.7.0

v3.8.0

v3.8.1

v3.8.2

v3.9.0

v4.*

v4.0.0

v4.0.1

v4.1.0

v4.2.0

v4.2.1

v4.3.0

v4.4.0

v4.5.0

v4.6.0

v4.7.0

v4.8.0

v4.8.1

v4.8.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27005.json"