HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41518Published Modified CNA GitHub_M

CVE-2026-41518: Chartbrew has a stored DOM XSS via Chart Tooltip innerHTML (ChartDatasetConfig.legend)

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the `ChartDatasetConfig.legend` field. The payload is persisted verbatim in the database, propagated through the Chart.js rendering pipeline, and injected into the tooltip DOM element via an unguarded `innerHTML` assignment in `ChartTooltip.js`. Every unauthenticated viewer of the public dashboard triggers JavaScript execution on page load — no hover interaction is required. Browser-based Playwright verification confirmed `alert('localhost')` fires immediately and `<img src="x" onerror="alert(document.domain)">` is present in the `#chartjs-tooltip` DOM element. Version 5.0.1 contains a fix.

Metrics

CVSS v3.1
7.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) via an unguarded innerHTML assignment affects Chartbrew versions 4.9.0 through 5.0.0. An authenticated user with project-editor permissions can inject arbitrary HTML or JavaScript into the ChartDatasetConfig.legend field; the payload persists in the database and is written directly into the tooltip DOM element when any visitor loads a public dashboard, with no hover or click required. Successful exploitation gives the attacker arbitrary JavaScript execution in the victim's browser session, enabling session-token theft, DOM manipulation, and data exfiltration. HarborGuard tracks this advisory and will make a patched-image rebuild available for affected environments once a fix version is confirmed upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-41518 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that vendor Chartbrew as a dependency. Any image layer containing a Chartbrew version between 4.9.0 and 5.0.0 (inclusive) will surface a finding in the relevant registry or pipeline scan.

Available
Triage

HarborGuard scores this finding at CVSS 7.6 HIGH and weights it further against each environment's compliance policy, for example stricter treatment under policies that flag public-facing web applications or user-data handlers. Findings are routed to the configured inbox or ticketing integration for the responsible team within each customer organization.

Available
Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is confirmed. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Chartbrew application over the network to submit the malicious legend payload, and victims must be able to load the public dashboard over the network to trigger execution.

  • AuthenticationRequired

    The attacker needs at minimum a low-privilege project-editor account to write the payload into the ChartDatasetConfig.legend field; unauthenticated parties cannot submit the payload, though they are the victims who trigger execution.

  • Victim interactionRequired

    A victim must load the public dashboard page in their browser; while no click or hover is needed, a page visit is required to trigger the injected JavaScript.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the payload is stored: no race conditions, memory layout dependencies, or environmental factors are required for successful execution.

Blast Radius

  • Reads session tokens, authentication cookies, and any credentials stored in the victim's browser context for the Chartbrew origin.
  • Exfiltrates sensitive data visible in the DOM, including chart data and any personally identifiable information rendered on the dashboard.
  • Performs actions on behalf of the victim within the Chartbrew application, such as modifying project settings or creating further malicious payloads.
  • Delivers secondary payloads, for example redirecting victims to attacker-controlled pages or installing browser-based malware.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every ingest cycle because no upstream fix version has been published. In the interim, compensating controls that can reduce exposure include network-policy rules that restrict access to the Chartbrew service to trusted internal networks only, egress filtering to block exfiltration attempts from the container, and disabling public dashboard sharing at the application configuration level if that feature is not required. Where a compliance policy flags public-facing web applications, the finding will be escalated accordingly. The moment Chartbrew ships a patched release, HarborGuard will ingest the fix version, make a rebuilt image available, and, for customers with auto-remediation enabled, open a PR against affected workloads after a regression run.

See how HarborGuard automates this
Affected packages
  • chartbrew / chartbrew
    >= 4.9.0, < 5.0.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
References