CVE-2026-24815
Unknown Unknown - Not Provided
Unrestricted File Upload and Deserialization Flaw in datavane tis Before v

Publication date: 2026-01-27

Last updated on: 2026-01-27

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description
Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java. This issue affects tis: before v4.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-01-27
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24815
EUVD
EUVD-2026-4764
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
datavane tis to 4.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves an unrestricted upload of files with dangerous types and the deserialization of untrusted data in the datavane tis software. Specifically, it is related to the XStream library's XML deserialization process, which lacks proper security restrictions. This allows an attacker to execute remote code by deserializing arbitrary classes through malicious XML input. The issue affects versions of tis before v4.3.0 and is associated with the program files XmlFile.Java. [1]

Impact Analysis

The vulnerability can lead to remote code execution on the affected system, allowing an attacker to run arbitrary code with potentially high privileges. This can result in full system compromise, data theft, data corruption, or disruption of services. [1]

Mitigation Strategies

To mitigate this vulnerability, upgrade the datavane tis software to version 4.3.0 or later, where the security fix has been applied. The fix restricts the classes that the XStream library can deserialize, preventing exploitation through malicious XML input. Applying this update will prevent remote code execution caused by deserialization of untrusted data. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24815. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart