CVE-2026-27605
📋 TL;DR
Chartbrew versions before 4.8.4 have a stored cross-site scripting (XSS) vulnerability in file upload functionality. Attackers can upload malicious HTML files containing JavaScript, which when served to users can steal authentication tokens from localStorage, potentially leading to account takeover. All Chartbrew instances using vulnerable versions are affected.
💻 Affected Systems
- Chartbrew
📦 What is this software?
Chartbrew by Depomo
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to unauthorized access to connected databases/APIs, data theft, and potential lateral movement within the environment.
Likely Case
Session hijacking and account compromise for users who access the malicious uploaded file, potentially exposing sensitive chart data and database credentials.
If Mitigated
Limited impact with proper file validation and content security policies in place, though authentication tokens remain at risk if accessed.
🎯 Exploit Status
Exploitation requires authenticated access to upload files, but the attack chain is straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.8.4
Vendor Advisory: https://github.com/chartbrew/chartbrew/security/advisories/GHSA-jf6m-hm53-c364
Restart Required: Yes
Instructions:
1. Backup your Chartbrew instance and database. 2. Update to version 4.8.4 or later using your deployment method (Docker, manual, etc.). 3. Restart the application. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable file uploads
allTemporarily disable project logo upload functionality in Chartbrew configuration
Modify Chartbrew configuration to remove or disable file upload endpoints
Implement web server file type restrictions
linuxConfigure web server (nginx/apache) to block serving HTML files from uploads directory
Add location block in nginx: location ~* \.html$ { deny all; }
Add to Apache .htaccess: <FilesMatch "\.html$"> Order Allow,Deny Deny from all </FilesMatch>
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent JavaScript execution from uploaded files
- Regularly audit and delete suspicious files from uploads/ directory
🔍 How to Verify
Check if Vulnerable:
Check Chartbrew version via web interface or API, or examine package.json for version numberCheck Version:
Check package.json: cat package.json | grep version, or via API: curl -s http://chartbrew-instance/api/versionVerify Fix Applied:
Attempt to upload an HTML file with .html extension - should be rejected or sanitized📡 Detection & Monitoring
Log Indicators:
- File uploads with .html extensions
- Unusual file upload patterns to uploads/ endpoint
- Multiple failed upload attempts
Network Indicators:
- HTTP requests to uploads/*.html files
- Unusual outbound connections following file access
SIEM Query:
source="chartbrew" AND (uri_path="/api/upload" OR uri_path LIKE "/uploads/%.html")