CVE-2026-25887
Published: 06 March 2026
Summary
CVE-2026-25887 is a high-severity Code Injection (CWE-94) vulnerability in Depomo Chartbrew. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25887 is a remote code execution vulnerability in Chartbrew, an open-source web application that connects directly to databases and APIs to generate charts from data. The flaw exists in the MongoDB dataset Query feature in versions prior to 4.8.1 and is classified under CWE-94 (Code Injection). It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An attacker with high privileges, such as an authenticated administrator, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows remote code execution on the server, granting high-impact access to confidentiality, integrity, and availability, potentially leading to full system compromise.
The issue has been addressed in Chartbrew version 4.8.1, as detailed in the project's release notes and security advisory. Practitioners should upgrade to this version or later to mitigate the vulnerability. Relevant resources include the GitHub release page at https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1 and the advisory at https://github.com/chartbrew/chartbrew/security/advisories/GHSA-x4r6-prmw-7wvw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9976
Vulnerability details
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has…
more
been patched in version 4.8.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via code injection (CWE-94) in public-facing web app (MongoDB query feature) directly enables T1190 exploitation and T1059.007 JavaScript command execution on the server.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation and sanitization of MongoDB dataset queries to block the code-injection payload that enables RCE.
Requires prompt application of the vendor-supplied patch (v4.8.1) that removes the CWE-94 flaw in the MongoDB query path.
Restricts the MongoDB dataset Query feature to only those accounts that absolutely require it, reducing the population able to reach the RCE vector.