8.6
CVE-2026-28507 - Idno: Remote Code Execution via Chained Import File Write and Template Path Traversal
Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4.
6.3
CVE-2026-27605 - Chartbrew: Stored Cross-Site Scripting (XSS) via File Upload API
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project logos) without validating the file type or content. It trusts the extension provided by the user. Thβ¦
8.7
CVE-2026-27603 - Chartbrew: Unauthenticated Chart Filter Endpoint: POST /project/:project_id/chart/:chart_id/filter β¦
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_id/chart/:chart_id/filter is missing both verifyToken and checkPermissions middleware, allowing unaβ¦
8.8
CVE-2026-27005 - Chartbrew: SQL injection in date-type variable handling (applyMysqlOrPostgresVariables)
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew (MySQL, PostgreSQL). This allowsβ¦
8.8
CVE-2026-25888 - Chartbrew: Remote Code Execution (RCE) via Vulnerable API
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1.
7.2
CVE-2026-25887 - Chartbrew: Remote Code Execution (RCE) via MongoDB Dataset Query
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has been patched in version 4.8.1.
6.5
CVE-2026-25877 - Chartbrew: Insecure Direct Object Reference (IDOR) in Chart Operations
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the project_id parameter when handling chart-related operations (update, delete, etc.)β¦
8.8
CVE-2026-29041 - Chamilo: Authenticated Remote Code Execution via Unrestricted File Upload
Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads and does not adequatβ¦
6.9
CVE-2025-59544 - Chamilo: Unauthorized access to update category of any user
Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. This issueβ¦
9.1
CVE-2025-59543 - Chamilo: Account Takeover via Stored XSS in Course Description
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the β¦