Cyber Resilience

CVE-2026-25888

HighPublic PoCRCE

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0066 46.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25888 is a high-severity Code Injection (CWE-94) vulnerability in Depomo Chartbrew. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25888 is a remote code execution vulnerability (classified under CWE-94) affecting Chartbrew, an open-source web application designed to connect directly to databases and APIs for creating data visualizations and charts. The flaw exists in a vulnerable API endpoint in versions prior to 4.8.1, allowing arbitrary code execution on the server hosting the application. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and significant impacts.

An authenticated attacker with low privileges (PR:L), such as a registered user, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high-level impacts on confidentiality, integrity, and availability, enabling the attacker to execute arbitrary code on the affected Chartbrew server, potentially leading to full system compromise, data exfiltration, or further lateral movement within the environment.

The issue has been addressed in Chartbrew version 4.8.1, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to v4.8.1 or later, review access controls for API endpoints, and monitor for anomalous activity in affected deployments. Relevant resources include the GitHub release page at https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1 and the security advisory at https://github.com/chartbrew/chartbrew/security/advisories/GHSA-875w-45c2-gxq8.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been…

more

patched in version 4.8.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-25888 enables remote code execution via a vulnerable API endpoint in the Chartbrew web application, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25887Same product: Depomo Chartbrew
CVE-2026-32252Same product: Depomo Chartbrew
CVE-2026-27603Same product: Depomo Chartbrew
CVE-2026-27005Same product: Depomo Chartbrew
CVE-2026-30232Same product: Depomo Chartbrew
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94

Affected Assets

depomo
chartbrew
≤ 4.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and remediation of the RCE vulnerability by patching Chartbrew to version 4.8.1 or later.

prevent

Enforces validation and sanitization of inputs to the vulnerable API endpoint, preventing code injection exploits classified as CWE-94.

preventdetect

Implements boundary protections such as web application firewalls to monitor and control communications to the vulnerable API, blocking or detecting exploitation attempts.

References