HIGHCVE-2026-25888CVSS 8.8

CVE-2026-25888: RCE in Chartbrew Data Visualization Tool

Q: What is CVE-2026-25888 — RCE in Chartbrew?

CVE-2026-25888 is a Remote Code Execution vulnerability in Chartbrew versions prior to 4.8.1, allowing attackers to execute arbitrary code via a vulnerable API.

Q: Am I affected by CVE-2026-25888 in Chartbrew?

Yes, if you are running Chartbrew version 4.8.1 or earlier, you are vulnerable to this RCE flaw.

Q: How do I fix CVE-2026-25888 in Chartbrew?

Upgrade Chartbrew to version 4.8.1 or later to patch the vulnerability. Consider temporary WAF rules if immediate upgrade is not possible.

Q: Is CVE-2026-25888 being actively exploited?

As of now, there are no confirmed reports of active exploitation, but vigilance is still advised.

Q: Where can I find the official Chartbrew advisory for CVE-2026-25888?

Refer to the Chartbrew project's official website or GitHub repository for the latest security advisories and updates.

Platform

nodejs

Component

chartbrew

Fixed in

4.8.2

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2026-25888 describes a Remote Code Execution (RCE) vulnerability discovered in Chartbrew, an open-source data visualization tool. This flaw allows attackers to execute arbitrary code through a vulnerable API endpoint. Versions of Chartbrew prior to 4.8.1 are affected, and a patch has been released in version 4.8.1 to address the issue.

Impact and Attack Scenarios

The RCE vulnerability in Chartbrew poses a significant threat. An attacker exploiting this flaw could gain complete control over the server hosting the Chartbrew application. This includes the ability to read, modify, and delete sensitive data stored within the database or accessible through connected APIs. Lateral movement within the network is also possible if the server has access to other systems. The blast radius extends to any data processed and visualized by Chartbrew, potentially impacting business-critical information and sensitive user data.

Exploitation Context

CVE-2026-25888 was publicly disclosed on 2026-03-06. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. The availability of a patch significantly reduces the likelihood of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports3 threat reports

EPSS

0.32% (55% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentchartbrew

Vendorchartbrew

Affected rangeFixed in

< 4.8.1 – < 4.8.14.8.2

Weakness Classification (CWE)

CWE-94

Timeline

Reserved2026-02-06
Published2026-03-06
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2026-25888 is to immediately upgrade Chartbrew to version 4.8.1 or later. If upgrading is not immediately feasible due to compatibility concerns or downtime constraints, consider implementing temporary workarounds. These may include restricting access to the vulnerable API endpoint using a Web Application Firewall (WAF) or proxy server, and carefully reviewing and validating all API inputs to prevent malicious code injection. Monitor Chartbrew logs for any suspicious activity related to API calls.

How to fix

Actualice Chartbrew a la versión 4.8.1 o superior. Esta versión contiene una corrección para la vulnerabilidad de ejecución remota de código. Puede descargar la última versión desde el sitio web oficial o a través del gestor de paquetes correspondiente.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-25888 — RCE in Chartbrew?

CVE-2026-25888 is a Remote Code Execution vulnerability in Chartbrew versions prior to 4.8.1, allowing attackers to execute arbitrary code via a vulnerable API.

Am I affected by CVE-2026-25888 in Chartbrew?

Yes, if you are running Chartbrew version 4.8.1 or earlier, you are vulnerable to this RCE flaw.

How do I fix CVE-2026-25888 in Chartbrew?

Upgrade Chartbrew to version 4.8.1 or later to patch the vulnerability. Consider temporary WAF rules if immediate upgrade is not possible.

Is CVE-2026-25888 being actively exploited?

As of now, there are no confirmed reports of active exploitation, but vigilance is still advised.

Where can I find the official Chartbrew advisory for CVE-2026-25888?

Refer to the Chartbrew project's official website or GitHub repository for the latest security advisories and updates.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.