CVE-2026-27005

CriticalPublic PoC

Published: 06 March 2026

Published

06 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew…

(MySQL, PostgreSQL). This allows reading, modifying, or deleting data in those databases depending on the database user's privileges. This issue has been patched in version 4.8.3.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection attacks by requiring validation and sanitization of user inputs used in database queries.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws like this SQL injection vulnerability through patching to version 4.8.3 or equivalent.

AC-6 Least Privilege partial match

prevent

Limits the impact of successful SQL injection by enforcing least privilege on the database user accounts used by Chartbrew.

Security SummaryAI

CVE-2026-27005 is a SQL injection vulnerability (CWE-89) affecting Chartbrew, an open-source web application designed to connect directly to databases and APIs for creating charts from data. Versions of Chartbrew prior to 4.8.3 are vulnerable, specifically when connected to MySQL or PostgreSQL databases, as the application fails to properly sanitize user inputs in SQL queries executed against these backends.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By injecting arbitrary SQL into queries, the attacker can read, modify, or delete data in the connected databases, with the extent of impact determined by the privileges of the database user account configured in Chartbrew.

The issue has been addressed in Chartbrew version 4.8.3, which patches the SQL injection flaw. Official advisories and release notes are available on the Chartbrew GitHub repository, including the security advisory at GHSA-w5rh-v333-qq6c and the release tag for v4.8.3.

Details

CWE(s): CWE-89

Affected Products

depomo

chartbrew

≤ 4.8.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (Chartbrew) enables exploitation of public-facing application (T1190) and facilitates arbitrary data access from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/chartbrew/chartbrew/releases/tag/v4.8.3
Release Notes · security-advisories@github.com
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-w5rh-v333-qq6c
Exploit, Vendor Advisory · security-advisories@github.com