Cross-Site Scripting Vulnerability in DataEase Visualization Tool
CVE-2026-55647

5.1MEDIUM

Key Information:

Vendor

Dataease

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-55647?

DataEase, an open source data visualization tool, contains a vulnerability where dashboard text components can render untrusted HTML due to insufficient server-side sanitization. An authenticated user with editing rights can inject malicious HTML with executable event handlers, leading to potential cross-site scripting attacks. This security flaw impacts users viewing the dashboard, as they may unknowingly execute the injected code. The issue was addressed in version 2.10.24, where proper sanitization measures were implemented to mitigate such risks.

Affected Version(s)

dataease < 2.10.24

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.