PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55647 dataease CVE debrief

CVE-2026-55647 is a medium severity vulnerability in DataEase, an open source data visualization and analysis tool. Prior to version 2.10.24, dashboard text components render stored component content with Vue v-html without server-side HTML sanitization, allowing an authenticated user who can edit dashboard component data to inject HTML with executable event handlers that execute when another user or shared-link visitor views the dashboard. The vulnerability has a CVSS score of 5.1 and is classified as MEDIUM. The CVE record was published on 2026-07-07T21:17:28.060Z and has not been modified since then.

Vendor
dataease
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of DataEase version prior to 2.10.24 who utilize dashboard text components should apply the patch to prevent potential stored content injection attacks. Affected operators should review their platform's vulnerability management and security teams should prioritize patching. Security teams should also monitor dashboard usage for suspicious activity.

Technical summary

The vulnerability exists in the dashboard text components of DataEase, where stored content is rendered using Vue v-html without proper server-side HTML sanitization. This allows an authenticated user with the ability to edit dashboard component data to inject malicious HTML, including executable event handlers. When another user or a visitor accessing the dashboard via a shared link views the dashboard, the injected event handlers are executed. The issue is fixed in version 2.10.24.

Defensive priority

Medium priority due to the requirement for authentication and user interaction to exploit. However, defenders should prioritize patching and review dashboard component data for potential injection attacks.

Recommended defensive actions

  • Apply the patch by upgrading to DataEase version 2.10.24 or later.
  • Restrict editing of dashboard component data to trusted users.
  • Monitor dashboard usage for suspicious activity.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-07T21:17:28.060Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence limits suggest that defenders verify the patching status of DataEase instances and review dashboard component data for potential injection attacks. Additional verification tasks include checking for suspicious activity and ensuring proper server-side HTML sanitization.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:28.060Z and has not been modified since then.