CVE-2026-49867 in DataEaseinformación

Resumen

por MITRE • 2026-07-15

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase template static resources let authenticated users submit TemplateManageRequest.staticResource through POST /de2api/templateManage/save or DataVisualizationServer.decompression, after which StaticResourceServer.saveFilesToServe and StaticResourceServer.saveSingleFileToServe write Base64-decoded .svg content to /de2api/static-resource/<name>.svg without validating extension, MIME type, decoded bytes, or SVG scriptability, causing stored same-origin cross-site scripting when a victim loads the resource. This issue is fixed in version 2.10.23.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Responsable

GitHub M

Reservar

2026-06-02

Divulgación

2026-07-15

Moderación

aceptado

Artículo

VDB-379396

CPE

listo

EPSS

0.00000

KEV

no

Actividades

muy bajo

Fuentes

Might our Artificial Intelligence support you?

Check our Alexa App!