CVE-2026-49867 in DataEaseinformação

Sumário

de MITRE • 15/07/2026

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase template static resources let authenticated users submit TemplateManageRequest.staticResource through POST /de2api/templateManage/save or DataVisualizationServer.decompression, after which StaticResourceServer.saveFilesToServe and StaticResourceServer.saveSingleFileToServe write Base64-decoded .svg content to /de2api/static-resource/<name>.svg without validating extension, MIME type, decoded bytes, or SVG scriptability, causing stored same-origin cross-site scripting when a victim loads the resource. This issue is fixed in version 2.10.23.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Responsável

GitHub M

Reservar

02/06/2026

Divulgação

15/07/2026

Moderação

aceite

Entrada

VDB-379396

CPE

pronto

EPSS

0.00000

KEV

não

Atividades

muito baixo

Fontes

Might our Artificial Intelligence support you?

Check our Alexa App!