Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The payload is persisted verbatim in the database, propagated through the Chart.js rendering pipeline, and injected into the tooltip DOM element via an unguarded innerHTML assignment in ChartTooltip.js. Every unauthenticated viewer of the public dashboard triggers JavaScript execution on page load — no hover interaction is required. Browser-based Playwright verification confirmed alert('localhost') fires immediately and <img src="x" onerror="alert(document.domain)"> is present in the #chartjs-tooltip DOM element. Version 5.0.1 contains a fix.