Cyber Resilience

CVE-2026-27005

HighPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 39.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27005 is a high-severity SQL Injection (CWE-89) vulnerability in Depomo Chartbrew. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27005 is a SQL injection vulnerability (CWE-89) affecting Chartbrew, an open-source web application designed to connect directly to databases and APIs for creating charts from data. Versions of Chartbrew prior to 4.8.3 are vulnerable, specifically when connected to MySQL or PostgreSQL databases, as the application fails to properly sanitize user inputs in SQL queries executed against these backends.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By injecting arbitrary SQL into queries, the attacker can read, modify, or delete data in the connected databases, with the extent of impact determined by the privileges of the database user account configured in Chartbrew.

The issue has been addressed in Chartbrew version 4.8.3, which patches the SQL injection flaw. Official advisories and release notes are available on the Chartbrew GitHub repository, including the security advisory at GHSA-w5rh-v333-qq6c and the release tag for v4.8.3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew…

more

(MySQL, PostgreSQL). This allows reading, modifying, or deleting data in those databases depending on the database user's privileges. This issue has been patched in version 4.8.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing web application (Chartbrew) enables exploitation of public-facing application (T1190) and facilitates arbitrary data access from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25888Same product: Depomo Chartbrew
CVE-2026-32252Same product: Depomo Chartbrew
CVE-2026-27603Same product: Depomo Chartbrew
CVE-2026-25887Same product: Depomo Chartbrew
CVE-2026-30232Same product: Depomo Chartbrew
CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89

Affected Assets

depomo
chartbrew
≤ 4.8.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection attacks by requiring validation and sanitization of user inputs used in database queries.

prevent

Requires timely remediation of flaws like this SQL injection vulnerability through patching to version 4.8.3 or equivalent.

prevent

Limits the impact of successful SQL injection by enforcing least privilege on the database user accounts used by Chartbrew.

References