CVE-2026-32139

Name of the Vulnerable Software and Affected Versions Dataease versions 2.10.19 and earlier

Description Dataease is a data visualization analysis tool. The static resource upload interface allows SVG uploads. Backend validation only checks if the XML is parseable and if the root node is svg, failing to sanitize active content like onload/onerror event handlers or script-capable attributes. This allows an attacker to upload a malicious SVG and trigger script execution in a browser by visiting the exposed static resource URL, resulting in a stored cross-site scripting (XSS) exploitation chain.

Recommendations Update Dataease to version 2.10.20 or later.