CVE-2026-49867

CVE-2026-49867CVE-2026-49867

Description

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase template static resources let authenticated users submit TemplateManageRequest.staticResource through POST /de2api/templateManage/save or DataVisualizationServer.decompression, after which StaticResourceServer.saveFilesToServe and StaticResourceServer.saveSingleFileToServe write Base64-decoded .svg content to /de2api/static-resource/<name>.svg without validating extension, MIME type, decoded bytes, or SVG scriptability, causing stored same-origin cross-site scripting when a victim loads the resource. This issue is fixed in version 2.10.23.

Scoring

Last modified2026-07-15
Sourced from NVD. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.