Description
Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as onload/onerror event handlers or script-capable attributes. As a result, an attacker can upload a malicious SVG and then trigger script execution in a browser by visiting the exposed static resource URL, forming a full stored XSS exploitation chain. This vulnerability is fixed in 2.10.20.
Published: 2026-03-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (browser)
Action: Apply Patch
AI Analysis

Impact

Dataease allows users to upload SVG images through its static resource interface. The server only verifies that the uploaded file is XML‑parseable and that the root element is an svg tag, but it does not remove or neutralise active content such as onload, onerror, or script‑capable attributes. Consequently an attacker who can submit an SVG file can embed malicious JavaScript payloads in the file. When a victim’s browser requests the stored static resource URL, the embedded script executes in the context of the page, allowing the attacker to steal cookies, hijack sessions, deface content, or otherwise compromise the integrity of the client environment. This is a classic Stored XSS vulnerability classified under CWE‑79.

Affected Systems

All releases of Dataease version 2.10.19 and earlier are affected, as the flaw exists in the open‑source data visualization platform and has been fixed in version 2.10.20.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate level of impact. The EPSS score is below 1%, implying a low likelihood of current exploitation activity. The vulnerability is not listed in CISA’s known exploited vulnerabilities catalog. The attack path typically involves an attacker uploading a crafted SVG through the resource upload interface; the malicious payload is stored server‑side and becomes active when any user loads the static resource URL, completing a stored XSS exploitation chain that could cause client‑side data theft or session compromise.

Generated by OpenCVE AI on April 17, 2026 at 09:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dataease to version 2.10.20 or newer to eliminate the acceptance of unfiltered SVG content.
  • If an upgrade is not immediately feasible, disable or restrict the ability to upload SVG files via the static resource interface to prevent the storage of active content.
  • Apply a restrictive Content Security Policy that blocks inline script execution from static resource URLs to mitigate the impact of any stored XSS payloads.

Generated by OpenCVE AI on April 17, 2026 at 09:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease dataease
Vendors & Products Dataease
Dataease dataease

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as onload/onerror event handlers or script-capable attributes. As a result, an attacker can upload a malicious SVG and then trigger script execution in a browser by visiting the exposed static resource URL, forming a full stored XSS exploitation chain. This vulnerability is fixed in 2.10.20.
Title Dataease: Unfiltered active SVG content leads to Stored XSS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Dataease Dataease
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:22:49.694Z

Reserved: 2026-03-10T22:19:36.546Z

Link: CVE-2026-32139

cve-icon Vulnrichment

Updated: 2026-03-13T16:22:46.485Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T18:16:25.410

Modified: 2026-03-13T16:02:45.857

Link: CVE-2026-32139

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T10:00:03Z

Weaknesses