CVE-2026-30232

Source
https://cve.org/CVERecord?id=CVE-2026-30232
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30232.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-30232
Aliases
  • GHSA-p4rg-967r-w4cv
Published
2026-04-10T19:15:11.439Z
Modified
2026-07-08T08:11:15.117059547Z
Severity
  • 7.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
Chartbrew has SSRF in API Data Connection - No IP Validation on User-Provided URLs
Details

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30232.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/chartbrew/chartbrew

Affected ranges

Type
GIT
Repo
https://github.com/chartbrew/chartbrew
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.8.5"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.0-beta.1
v1.0.0-beta.1.1
v1.0.0-beta.10
v1.0.0-beta.11
v1.0.0-beta.13
v1.0.0-beta.2
v1.0.0-beta.2.1
v1.0.0-beta.2.2
v1.0.0-beta.2.3
v1.0.0-beta.3
v1.0.0-beta.4
v1.0.0-beta.4.1
v1.0.0-beta.4.2
v1.0.0-beta.5
v1.0.0-beta.5.1
v1.0.0-beta.5.2
v1.0.0-beta.5.4
v1.0.0-beta.5.5
v1.0.0-beta.5.6
v1.0.0-beta.6
v1.0.0-beta.7
v1.0.0-beta.8
v1.0.0-beta.8.1
v1.0.0-beta.9
v1.0.0-beta.9.1
v1.0.0-beta.9.2
v1.0.0-beta.9.3
v1.1.0
v1.1.1
v1.10.0
v1.11.0
v1.11.1
v1.13.0
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.17.1
v1.17.2
v1.18.0
v1.18.1
v1.19.0
v1.19.1
v1.2.0
v1.20.0
v1.20.1
v1.20.2
v1.21.0
v1.21.1
v1.3.0
v1.3.1
v1.4.0
v1.5.0
v1.5.1
v1.5.3
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v2.*
v2.0.0
v2.0.0-rc.1
v2.0.0-rc.2
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.5.1
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.8.0
v3.*
v3.0.0
v3.0.0-beta.1
v3.0.0-beta.2
v3.0.0-beta.3
v3.1.0
v3.1.1
v3.10.0
v3.11.0
v3.11.1
v3.12.0
v3.13.0
v3.2.0
v3.2.1
v3.3.0
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.7.0
v3.8.0
v3.8.1
v3.8.2
v3.9.0
v4.*
v4.0.0
v4.0.1
v4.1.0
v4.2.0
v4.2.1
v4.3.0
v4.4.0
v4.5.0
v4.6.0
v4.7.0
v4.8.0
v4.8.1
v4.8.2
v4.8.3
v4.8.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30232.json"