Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 05 Jun 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 04 Jun 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Chartbrew
Chartbrew chartbrew |
|
| Vendors & Products |
Chartbrew
Chartbrew chartbrew |
Thu, 04 Jun 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the `ChartDatasetConfig.legend` field. The payload is persisted verbatim in the database, propagated through the Chart.js rendering pipeline, and injected into the tooltip DOM element via an unguarded `innerHTML` assignment in `ChartTooltip.js`. Every unauthenticated viewer of the public dashboard triggers JavaScript execution on page load — no hover interaction is required. Browser-based Playwright verification confirmed `alert('localhost')` fires immediately and `<img src="x" onerror="alert(document.domain)">` is present in the `#chartjs-tooltip` DOM element. Version 5.0.1 contains a fix. | |
| Title | Chartbrew has a stored DOM XSS via Chart Tooltip innerHTML (ChartDatasetConfig.legend) | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-05T19:34:10.557Z
Reserved: 2026-04-20T18:18:50.682Z
Link: CVE-2026-41518
Updated: 2026-06-05T19:34:02.963Z
Status : Deferred
Published: 2026-06-04T20:16:57.960
Modified: 2026-06-05T20:17:31.547
Link: CVE-2026-41518
No data.
OpenCVE Enrichment
Updated: 2026-06-04T22:00:14Z