Executive Summary

CVE-2026-32139 is a Stored Cross-Site Scripting (XSS) vulnerability in DataEase versions 2.10.19 and earlier. It occurs because the static resource upload interface allows uploading SVG files without properly sanitizing active content within them.

The backend validation only checks if the uploaded SVG is parseable XML and if its root node is <svg>. However, it does not remove or sanitize active event handlers like onload or onerror, or other script-capable attributes embedded in the SVG.

As a result, an attacker can upload a malicious SVG containing JavaScript payloads that execute when a victim accesses the SVG URL, enabling a full stored XSS attack.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows attackers to execute arbitrary JavaScript code in the context of a victim's browser by uploading a malicious SVG file and tricking users into accessing it."}, {'type': 'list_item', 'content': 'Attackers can steal cookies, session tokens, or other sensitive information.'}, {'type': 'list_item', 'content': 'It can lead to unauthorized actions performed on behalf of the victim.'}, {'type': 'list_item', 'content': 'It compromises the security and integrity of the affected application and its users.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying whether your DataEase installation allows uploading SVG files containing active event handlers or script-capable attributes without proper sanitization.'}, {'type': 'paragraph', 'content': 'One approach is to check if the upload API endpoint "upload/{fileId}" accepts SVG files and if those files are served directly via the static resource URL path "/de2api/static-resource/**".'}, {'type': 'paragraph', 'content': 'You can attempt to upload a test SVG file containing an onload event, such as `<svg onload="alert(\'test\')">`, and then access the uploaded file URL to see if the script executes.'}, {'type': 'paragraph', 'content': 'For network detection, monitor HTTP POST requests to the upload endpoint for SVG files and subsequent GET requests to static resource URLs serving SVGs.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but examples include:'}, {'type': 'list_item', 'content': 'Using curl to upload a test SVG file: `curl -X POST -F "[email protected]" https://your-dataease-instance/upload/{fileId}`'}, {'type': 'list_item', 'content': 'Using curl or wget to access the uploaded SVG URL: `curl https://your-dataease-instance/de2api/static-resource/{fileId}.svg`'}, {'type': 'list_item', 'content': 'Using network monitoring tools (e.g., tcpdump, Wireshark) to capture POST requests to the upload endpoint and GET requests to static resource URLs.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade DataEase to version 2.10.20 or later, where this vulnerability is fixed by proper sanitization of SVG uploads.

There are no effective workarounds other than upgrading.

Until you can upgrade, consider restricting or disabling SVG uploads via the static resource upload interface to prevent malicious SVG files from being uploaded.

Additionally, monitor and audit uploaded files for suspicious SVG content containing active event handlers or scripts.

Useful 0 Not Useful 0