CVE-2026-25877

{"id": "CVE-2026-25877", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-06T05:16:28.230", "references": [{"url": "https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-9fcr-x8x8-mrxc", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the project_id parameter when handling chart-related operations (update, delete, etc.). No authorization check is performed against the chart_id itself. This allows an authenticated user who has access to any project to manipulate or access charts belonging to other users/ project. This issue has been patched in version 4.8.1."}, {"lang": "es", "value": "Chartbrew es una aplicaci\u00f3n web de c\u00f3digo abierto que puede conectarse directamente a bases de datos y APIs y usar los datos para crear gr\u00e1ficos. Antes de la versi\u00f3n 4.8.1, la aplicaci\u00f3n realiza comprobaciones de autorizaci\u00f3n basadas \u00fanicamente en el par\u00e1metro project_id al manejar operaciones relacionadas con gr\u00e1ficos (actualizar, eliminar, etc.). No se realiza ninguna comprobaci\u00f3n de autorizaci\u00f3n contra el propio chart_id. Esto permite a un usuario autenticado que tiene acceso a cualquier proyecto manipular o acceder a gr\u00e1ficos pertenecientes a otros usuarios/proyecto. Este problema ha sido parcheado en la versi\u00f3n 4.8.1."}], "lastModified": "2026-03-10T14:09:25.073", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55A8DB77-A290-400C-B2C5-7D0C7C82F7BE", "versionEndExcluding": "4.8.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}