Chartbrew has a stored DOM XSS via Chart Tooltip innerHTML (ChartDatasetConfig.legend)
CVE-2026-41518

7.6HIGH

Key Information:

Vendor: Chartbrew
Status: Chartbrew
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-41518?

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The payload is persisted verbatim in the database, propagated through the Chart.js rendering pipeline, and injected into the tooltip DOM element via an unguarded innerHTML assignment in ChartTooltip.js. Every unauthenticated viewer of the public dashboard triggers JavaScript execution on page load — no hover interaction is required. Browser-based Playwright verification confirmed alert('localhost') fires immediately and <img src="x" onerror="alert(document.domain)"> is present in the #chartjs-tooltip DOM element. Version 5.0.1 contains a fix.

Affected Version(s)

chartbrew >= 4.9.0, < 5.0.1

References

https://github.com/chartbrew/chartbrew/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41518 Data

JSON