CVE-2026-41518

Source
https://cve.org/CVERecord?id=CVE-2026-41518
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41518.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41518
Aliases
  • GHSA-6q2j-365c-7gqf
Published
2026-06-04T19:28:55.627Z
Modified
2026-07-15T01:48:49.871665405Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N CVSS Calculator
Summary
Chartbrew has a stored DOM XSS via Chart Tooltip innerHTML (ChartDatasetConfig.legend)
Details

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The payload is persisted verbatim in the database, propagated through the Chart.js rendering pipeline, and injected into the tooltip DOM element via an unguarded innerHTML assignment in ChartTooltip.js. Every unauthenticated viewer of the public dashboard triggers JavaScript execution on page load — no hover interaction is required. Browser-based Playwright verification confirmed alert('localhost') fires immediately and <img src="x" onerror="alert(document.domain)"> is present in the #chartjs-tooltip DOM element. Version 5.0.1 contains a fix.

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41518.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/chartbrew/chartbrew

Affected ranges

Type
GIT
Repo
https://github.com/chartbrew/chartbrew
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.9.0"
        },
        {
            "fixed": "5.0.1"
        },
        {
            "fixed": "5.0.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ]
}

Affected versions

v4.*
v4.9.0
v5.*
v5.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41518.json"