An attacker may be able to use this behavior to construct a URL that, if visited by another application user, will cause arbitrary JSON data to be processed.

The vulnerability can be found in the following code fragment: 

https://github.com/netdata/netdata/blob/798c141c49ee85bddc8f48f25d2cb593ec96da07/web/api/web_api_v1.c#L388
https://github.com/netdata/netdata/blob/798c141c49ee85bddc8f48f25d2cb593ec96da07/web/api/web_api_v1.c#L403