CVE-2026-25888

CVE-2026-25888 is a remote code execution vulnerability (classified under CWE-94) affecting Chartbrew, an open-source web application designed to connect directly to databases and APIs for creating data visualizations and charts. The flaw exists in a vulnerable API endpoint in versions prior to 4.8.1, allowing arbitrary code execution on the server hosting the application. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and significant impacts.

An authenticated attacker with low privileges (PR:L), such as a registered user, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high-level impacts on confidentiality, integrity, and availability, enabling the attacker to execute arbitrary code on the affected Chartbrew server, potentially leading to full system compromise, data exfiltration, or further lateral movement within the environment.

The issue has been addressed in Chartbrew version 4.8.1, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to v4.8.1 or later, review access controls for API endpoints, and monitor for anomalous activity in affected deployments. Relevant resources include the GitHub release page at https://github.com/chartbrew/chartbrew/releases/tag/v4.8.1 and the security advisory at https://github.com/chartbrew/chartbrew/security/advisories/GHSA-875w-45c2-gxq8.