{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32139", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.546Z", "datePublished": "2026-03-12T17:57:32.247Z", "dateUpdated": "2026-03-13T16:22:49.694Z"}, "containers": {"cna": {"title": "Dataease: Unfiltered active SVG content leads to Stored XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-wx8m-vf8v-crvr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-wx8m-vf8v-crvr"}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"version": "< 2.10.20", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T17:57:32.247Z"}, "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as onload/onerror event handlers or script-capable attributes. As a result, an attacker can upload a malicious SVG and then trigger script execution in a browser by visiting the exposed static resource URL, forming a full stored XSS exploitation chain. This vulnerability is fixed in 2.10.20."}], "source": {"advisory": "GHSA-wx8m-vf8v-crvr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:22:43.547892Z", "id": "CVE-2026-32139", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:22:49.694Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32139", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:22:43.547892Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:22:46.485Z"}}], "cna": {"title": "Dataease: Unfiltered active SVG content leads to Stored XSS", "source": {"advisory": "GHSA-wx8m-vf8v-crvr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"status": "affected", "version": "< 2.10.20"}]}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-wx8m-vf8v-crvr", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-wx8m-vf8v-crvr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as onload/onerror event handlers or script-capable attributes. As a result, an attacker can upload a malicious SVG and then trigger script execution in a browser by visiting the exposed static resource URL, forming a full stored XSS exploitation chain. This vulnerability is fixed in 2.10.20."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T17:57:32.247Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32139", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:22:49.694Z", "dateReserved": "2026-03-10T22:19:36.546Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T17:57:32.247Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "matchCriteriaId": "788CE210-A4A2-469E-B250-E5B1A46FA2CD", "versionEndExcluding": "2.10.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as onload/onerror event handlers or script-capable attributes. As a result, an attacker can upload a malicious SVG and then trigger script execution in a browser by visiting the exposed static resource URL, forming a full stored XSS exploitation chain. This vulnerability is fixed in 2.10.20."}, {"lang": "es", "value": "Dataease es una herramienta de an\u00e1lisis de visualizaci\u00f3n de datos de c\u00f3digo abierto. En DataEase 2.10.19 y versiones anteriores, la interfaz de carga de recursos est\u00e1ticos permite cargas de SVG. Sin embargo, la validaci\u00f3n del backend solo verifica si el XML es analizable y si el nodo ra\u00edz es svg. No sanea contenido activo como los manejadores de eventos onload/onerror o atributos con capacidad de script. Como resultado, un atacante puede cargar un SVG malicioso y luego activar la ejecuci\u00f3n de scripts en un navegador al visitar la URL del recurso est\u00e1tico expuesto, formando una cadena completa de explotaci\u00f3n de XSS almacenado. Esta vulnerabilidad est\u00e1 corregida en 2.10.20."}], "id": "CVE-2026-32139", "lastModified": "2026-03-13T16:02:45.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T18:16:25.410", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-wx8m-vf8v-crvr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.20)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dataease", "source": "cna", "vendor": "dataease"}, "product": "dataease", "vendor": "dataease"}], "analysis": {"en": {"generated_at": "2026-04-17T09:57:11.555864+00:00", "value": {"mitigation_remediation": ["Upgrade Dataease to version 2.10.20 or newer to eliminate the acceptance of unfiltered SVG content.", "If an upgrade is not immediately feasible, disable or restrict the ability to upload SVG files via the static resource interface to prevent the storage of active content.", "Apply a restrictive Content Security Policy that blocks inline script execution from static resource URLs to mitigate the impact of any stored XSS payloads."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (browser)"}, "threat_synthesis": {"affected_systems": "All releases of Dataease version 2.10.19 and earlier are affected, as the flaw exists in the open\u2011source data visualization platform and has been fixed in version 2.10.20.", "description_and_impact": "Dataease allows users to upload SVG images through its static resource interface. The server only verifies that the uploaded file is XML\u2011parseable and that the root element is an svg tag, but it does not remove or neutralise active content such as onload, onerror, or script\u2011capable attributes. Consequently an attacker who can submit an SVG file can embed malicious JavaScript payloads in the file. When a victim\u2019s browser requests the stored static resource URL, the embedded script executes in the context of the page, allowing the attacker to steal cookies, hijack sessions, deface content, or otherwise compromise the integrity of the client environment. This is a classic Stored XSS vulnerability classified under CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate level of impact. The EPSS score is below 1%, implying a low likelihood of current exploitation activity. The vulnerability is not listed in CISA\u2019s known exploited vulnerabilities catalog. The attack path typically involves an attacker uploading a crafted SVG through the resource upload interface; the malicious payload is stored server\u2011side and becomes active when any user loads the static resource URL, completing a stored XSS exploitation chain that could cause client\u2011side data theft or session compromise."}}}}, "created": "2026-03-13T09:50:37.024308+00:00", "updated": "2026-04-17T10:00:03.572914+00:00", "vendors": ["dataease", "dataease$PRODUCT$dataease"]}