Cyber Resilience

CVE-2026-25887

HighPublic PoCRCE

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 41.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25887 is a high-severity Code Injection (CWE-94) vulnerability in Depomo Chartbrew. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25887 is a remote code execution vulnerability in Chartbrew, an open-source web application that connects directly to databases and APIs to generate charts from data. The flaw exists in the MongoDB dataset Query feature in versions prior to 4.8.1 and is classified under CWE-94 (Code Injection). It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker with high privileges, such as an authenticated administrator, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows remote code execution on the server, granting high-impact access to confidentiality, integrity, and availability, potentially leading to full system compromise.

The issue has been addressed in Chartbrew version 4.8.1, as detailed in the project's release notes and security advisory. Practitioners should upgrade to this version or later to mitigate the vulnerability. Relevant resources include the GitHub release page at https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1 and the advisory at https://github.com/chartbrew/chartbrew/security/advisories/GHSA-x4r6-prmw-7wvw.

EU & UK References

Vulnerability details

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has…

more

been patched in version 4.8.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

RCE via code injection (CWE-94) in public-facing web app (MongoDB query feature) directly enables T1190 exploitation and T1059.007 JavaScript command execution on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25888Same product: Depomo Chartbrew
CVE-2026-32252Same product: Depomo Chartbrew
CVE-2026-27603Same product: Depomo Chartbrew
CVE-2026-27005Same product: Depomo Chartbrew
CVE-2026-30232Same product: Depomo Chartbrew
CVE-2026-41507Shared CWE-94
CVE-2025-23061Shared CWE-94
CVE-2026-43997Shared CWE-94
CVE-2026-1615Shared CWE-94
CVE-2026-33943Shared CWE-94

Affected Assets

depomo
chartbrew
≤ 4.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation and sanitization of MongoDB dataset queries to block the code-injection payload that enables RCE.

prevent

Requires prompt application of the vendor-supplied patch (v4.8.1) that removes the CWE-94 flaw in the MongoDB query path.

prevent

Restricts the MongoDB dataset Query feature to only those accounts that absolutely require it, reducing the population able to reach the RCE vector.

References