SecuriTricks - CVE-2026-30232

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5.

Product(s) Impacted

Vendor	Product	Versions
Chartbrew	Chartbrew	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	chartbrew	chartbrew	/	/	/	/	/	/	/	/

References

https://github.com/chartbrew/chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f16407d59c2df1

https://github.com/chartbrew/chartbrew/security/advisories/GHSA-p4rg-967r-w4cv

CVSS Score

7.8 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: NONE
Privileges Required: NONE
User Interaction: NONE
Scope:
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: NONE
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: April 10, 2026, 8:16 p.m.
Last Modified: April 10, 2026, 8:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-30232