DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24815: XML Hell: Critical RCE in Datavane TIS via XStream

#security #cve #cybersecurity

XML Hell: Critical RCE in Datavane TIS via XStream

Vulnerability ID: CVE-2026-24815
CVSS Score: 10.0
Published: 2026-01-27

Data integration platforms are a goldmine for attackers—they sit at the center of your infrastructure, holding the keys to the kingdom. Datavane's 'tis' platform recently handed over those keys via a classic, almost nostalgic vulnerability: XStream deserialization.

By combining an unrestricted file upload with an insecurely configured XML parser, the platform allows unauthenticated attackers to execute arbitrary code with the privileges of the application. This isn't just a bug; it's a CVSS 10.0 catastrophe that turns a simple XML file into a remote shell.

TL;DR

Critical RCE (CVSS 10.0) in Datavane TIS versions < 4.3.0. An unauthenticated attacker can upload a malicious XML file which, when parsed by the application's insecure XStream library, executes arbitrary commands on the server.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502 (Deserialization of Untrusted Data)
  • CVSS v4.0: 10.0 (Critical)
  • Attack Vector: Network (File Upload)
  • Impact: Remote Code Execution (RCE)
  • EPSS Score: 0.00041 (Low, but rising)
  • Patch Status: Fixed in v4.3.0

Affected Systems

  • datavane/tis (versions < 4.3.0)
  • tis-plugin module
  • tis: < 4.3.0 (Fixed in: 4.3.0)

Code Analysis

Commit: b4f2c8d

Fix XStream deserialization vulnerability by adding type permissions

+ xs.allowTypesByWildcard(new String[] { "com.qlangtech.tis.**" });
+ xs.denyTypes(new Class[] { java.lang.ProcessBuilder.class });
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Vulnerability disclosure and fix in PR discussion

Mitigation Strategies

  • Upgrade to version 4.3.0 immediately.
  • Implement strict XStream allowlisting if maintaining a fork.
  • Restrict network access to the TIS interface.

Remediation Steps:

  1. Download the TIS v4.3.0 release package.
  2. Stop the running TIS server instance.
  3. Replace the tis-plugin jar files or the entire application distribution.
  4. Restart the server.
  5. Verify the version in the administration console.

References

Read the full report for CVE-2026-24815 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)