Skip to main content

DataEase CVE-2026-49867

| EUVDEUVD-2026-44786 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-15 GitHub_M
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-reachable stored XSS requires low-privilege auth to plant and passive victim load; scope changes because script executes in victim's browser origin context, not attacker's.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 22:33 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 20:31 vuln.today
Analysis Generated
Jul 15, 2026 - 20:31 vuln.today

DescriptionCVE.org

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase template static resources let authenticated users submit TemplateManageRequest.staticResource through POST /de2api/templateManage/save or DataVisualizationServer.decompression, after which StaticResourceServer.saveFilesToServe and StaticResourceServer.saveSingleFileToServe write Base64-decoded .svg content to /de2api/static-resource/<name>.svg without validating extension, MIME type, decoded bytes, or SVG scriptability, causing stored same-origin cross-site scripting when a victim loads the resource. This issue is fixed in version 2.10.23.

AnalysisAI

Stored cross-site scripting in DataEase's template static resource pipeline allows authenticated users to persist malicious JavaScript inside SVG files served at the application's same origin, executing in victims' browsers upon resource access. Versions prior to 2.10.23 are affected; the root cause is that StaticResourceServer.saveFilesToServe and saveSingleFileToServe decoded attacker-supplied Base64 content and wrote it directly to disk without validating extension, MIME type, decoded bytes, or SVG scriptability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate with low-privilege DataEase account
Delivery
Craft Base64-encoded SVG with embedded JavaScript payload
Exploit
Submit malicious SVG via POST /de2api/templateManage/save or decompression API
Install
Server writes unvalidated SVG to /de2api/static-resource/<name>.svg
C2
Victim user loads template or dashboard referencing the resource
Execute
Browser executes attacker script in victim's authenticated same-origin session
Impact
Exfiltrate session token or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session with at least low-privilege access to the DataEase application - unauthenticated exploitation is not possible per the PR:L CVSS metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N) scores 6.3 and accurately reflects the attack profile: network-reachable, low complexity, authenticated low-privilege initiator, passive victim interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege DataEase account crafts a template import package or API request to POST /de2api/templateManage/save containing a Base64-encoded SVG file embedding a JavaScript payload (for example, a script tag or onload event handler that exfiltrates document.cookie to an attacker-controlled server). The SVG is written to /de2api/static-resource/<name>.svg on the server. …
Remediation The primary fix is to upgrade DataEase to version 2.10.23, which is confirmed available at https://github.com/dataease/dataease/releases/tag/v2.10.23 and includes the complete validation rewrite in StaticResourceServer. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-49003 CRITICAL POC
9.8 Jun 26

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m

CVE-2025-49002 CRITICAL POC
9.8 Jun 03

Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.

CVE-2025-49001 CRITICAL POC
9.8 Jun 03

Auth bypass in DataEase BI tool before 2.10.10.

CVE-2025-53005 CRITICAL POC
9.8 Jul 01

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53004 CRITICAL POC
9.8 Jun 30

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53006 CRITICAL POC
9.8 Jul 02

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2026-23958 CRITICAL POC
9.8 Jan 22

DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack

CVE-2024-46997 CRITICAL POC
9.8 Sep 23

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-37258 CRITICAL POC
9.8 Jul 25

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-33963 CRITICAL POC
9.8 Jun 01

DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-28437 CRITICAL POC
9.8 Mar 25

Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2022-39312 CRITICAL POC
9.8 Oct 25

Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

Share

CVE-2026-49867 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy