CVE-2026-41518

Name of the Vulnerable Software and Affected Versions Chartbrew versions 4.9.0 through 5.0.0

Description An authenticated user with project-editor permissions can store arbitrary HTML and JavaScript in the ChartDatasetConfig.legend field. This payload is saved in the database and injected into the tooltip DOM element through an unguarded innerHTML assignment in the ChartTooltip.js file. Consequently, any unauthenticated viewer of a public dashboard will trigger the execution of the JavaScript on page load without requiring any interaction. This is a Stored Cross-Site Scripting (XSS) issue, where malicious scripts are permanently stored on the target server and served to other users.

Recommendations Update to version 5.0.1.