CVE-2026-40600HIGH 8.1EPSS p13.8%

CVE-2026-40600CVE-2026-40600

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.23% probability of exploitation · percentile 13.8% · 2026-06-19T12:03:05Z
Published2026-04-30
Last modified2026-05-01

Underlying weaknesses· 1

CWE-639

References

  1. https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0
  2. https://github.com/chartbrew/chartbrew/security/advisories/GHSA-pq8h-2h99-39xm
  3. https://github.com/chartbrew/chartbrew/security/advisories/GHSA-pq8h-2h99-39xm

1

TypeTargetConfidenceTier
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40904
CVE
CVE-2026-27005
CVE
CVE-2026-25888
CVE
CVE-2026-30232
CVE
CVE-2026-41518
CVE
CVE-2026-20750
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.