CVE-2026-49867
DataEase: Authenticated Stored XSS in DataEase Template Static Resources
DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase template static resources let authenticated users submit TemplateManageRequest.staticResource through POST /de2api/templateManage/save or DataVisualizationServer.decompression, after which StaticResourceServer.saveFilesToServe and StaticResourceServer.saveSingleFileToServe write Base64-decoded .svg content to /de2api/static-resource/<name>.svg without validating extension, MIME type, decoded bytes, or SVG scriptability, causing stored same-origin cross-site scripting when a victim loads the resource. This issue is fixed in version 2.10.23.
| CWE | CWE-79 |
| Vendor | dataease |
| Product | dataease |
| Published | Jul 15, 2026 |
Get instant alerts for dataease dataease
Be the first to know when new unknown vulnerabilities affecting dataease dataease are published โ delivered to Slack, Telegram or Discord.