Cross-site scripting in DataEase - CVE-2026-49867
Published: June 18, 2026
Vulnerability identifier: #VU134814
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-49867
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: DataEase
Affected software:
DataEase
DataEase
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser session.
The vulnerability exists due to improper neutralization of script in the template static-resource handling when processing template save or import requests containing crafted SVG content. A remote user can submit a crafted SVG file through a template or import flow to execute arbitrary JavaScript in the victim's browser session.
User interaction is required to open or otherwise load the generated SVG resource served from the application's same-origin public static-resource path.
How to mitigate CVE-2026-49867
Install security update from vendor's website.