{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-24T19:27:07.517","vulnerabilities":[{"cve":{"id":"CVE-2026-25877","sourceIdentifier":"security-advisories@github.com","published":"2026-03-06T05:16:28.230","lastModified":"2026-06-17T10:25:21.927","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the project_id parameter when handling chart-related operations (update, delete, etc.). No authorization check is performed against the chart_id itself. This allows an authenticated user who has access to any project to manipulate or access charts belonging to other users/ project. This issue has been patched in version 4.8.1."},{"lang":"es","value":"Chartbrew es una aplicación web de código abierto que puede conectarse directamente a bases de datos y APIs y usar los datos para crear gráficos. Antes de la versión 4.8.1, la aplicación realiza comprobaciones de autorización basadas únicamente en el parámetro project_id al manejar operaciones relacionadas con gráficos (actualizar, eliminar, etc.). No se realiza ninguna comprobación de autorización contra el propio chart_id. Esto permite a un usuario autenticado que tiene acceso a cualquier proyecto manipular o acceder a gráficos pertenecientes a otros usuarios/proyecto. Este problema ha sido parcheado en la versión 4.8.1."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"chartbrew","product":"chartbrew","versions":[{"version":"< 4.8.1","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-06T15:50:41.617781Z","id":"CVE-2026-25877","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-284"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*","versionEndExcluding":"4.8.1","matchCriteriaId":"55A8DB77-A290-400C-B2C5-7D0C7C82F7BE"}]}]}],"references":[{"url":"https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/chartbrew/chartbrew/security/advisories/GHSA-9fcr-x8x8-mrxc","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}