Lucene search
+L

784 matches found

CVE
CVE
added 2 days ago12 views

CVE-2026-50030

DataEase prior to 2.10.23 exposes the SQL preview path (DatasetDataApi.previewSql/previewSqlCheck) via /de2api/datasetData/previewSql, accepting PreviewSqlDTO.sql, PreviewSqlDTO.datasourceId, and PreviewSqlDTO.isCross. The system stores decoded SQL in datasourceRequest.query and CalciteProvider.f...

7.1CVSS6.2AI score0.00269EPSS
Exploits0References3
CVE
CVE
added 2 days ago12 views

CVE-2026-45419

DataEase contains an arbitrary file write vulnerability present before version 2.10.23. The flaw resides in template handling: the TemplateManageService#save, StaticResourceServer#saveFilesToServe methods and the /de2api/templateManage/save endpoint accept attacker-controlled staticResource names...

8.5CVSS6.2AI score0.00313EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago33 views

CVE-2026-45417 DataEase: SQL injection vulnerability

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase datasource connection status checks concatenate configuration.getSchema into getTablesSql and execute the resulting SQL with executeQuery in io.dataease.datasource.provider.CalciteProvidercheckStatus,...

8.7CVSS0.00227EPSS
Exploits0References3
CVE
CVE
added 2 days ago8 views

CVE-2026-45417

DataEase (open source data visualization/analysis tool) is affected by a SQL injection in the CalciteProvider#checkStatus path. Before version 2.10.23, datasource connection status checks concatenate configuration.getSchema() into getTablesSql and then executeQuery runs the resulting SQL, enablin...

8.7CVSS6.2AI score0.00227EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-45534 DataEase: RCE Vulnerability

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase Redshift datasource connections can load attacker-controlled rsjdbc.ini configuration from System.getProperty"java.io.tmpdir", setting...

9CVSS0.00396EPSS
Exploits0References3
CVE
CVE
added 2 days ago11 views

CVE-2026-45534

DataEase prior to 2.10.23 is affected by an RCE in Redshift datasource connections. The issue arises when attacker-controlled rsjdbc.ini is loaded from System.getProperty("java.io.tmpdir"), with socketFactory set to org.springframework.context.support.FileSystemXmlApplicationContext, allowing com...

9CVSS6.5AI score0.00396EPSS
Exploits0References3
NVD
NVD
added 2026/07/07 9:17 p.m.9 views

CVE-2026-55647

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, dashboard text components render stored component content with Vue v-html without server-side HTML sanitization, allowing an authenticated user who can edit dashboard component data to inject HTML with executable...

5.1CVSS0.00269EPSS
Exploits0References3
NVD
NVD
added 2026/07/07 9:17 p.m.10 views

CVE-2026-57172

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use the known key link-pwd-fit2cloud to forge linkToken JWTs,...

8.3CVSS0.00289EPSS
Exploits0References2
NVD
NVD
added 2026/07/07 9:17 p.m.10 views

CVE-2026-55631

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the font management module allows authenticated users to submit an arbitrary fileTransName when creating a font record; when the record is later deleted, the backend concatenates that stored value with the font...

7.2CVSS0.00313EPSS
Exploits0References3
NVD
NVD
added 2026/07/07 9:17 p.m.9 views

CVE-2026-55635

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, chart quota and Y-axis filters embed attacker-controlled filter values directly into generated SQL in Quota2SQLObj.getYWheres without applying the SQL literal validation and escaping used by other filter paths,...

8.7CVSS0.00266EPSS
Exploits0References2
NVD
NVD
added 2026/07/07 9:17 p.m.7 views

CVE-2026-50529

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket, allowing unauthenticated attackers who know a protected share UUID to obtain a valid...

8.7CVSS0.00285EPSS
Exploits0References3
NVD
NVD
added 2026/07/07 9:17 p.m.7 views

CVE-2026-50530

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing...

7.1CVSS0.00238EPSS
Exploits0References3
NVD
NVD
added 2026/07/07 9:17 p.m.7 views

CVE-2026-53729

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, any authenticated user can download /exportCenter/download/id, delete /exportCenter/delete, retry /exportCenter/retry/id, or generate download links /exportCenter/generateDownloadUri/id for export tasks belonging t...

8.7CVSS0.00391EPSS
Exploits0References3
NVD
NVD
added 2026/07/07 9:17 p.m.7 views

CVE-2026-53751

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the H2 database JDBC URL validation logic can be bypassed with special Unicode characters whose case-conversion behavior differs between DataEase validation and H2 parsing, allowing attackers to smuggle dangerous...

8.7CVSS0.00375EPSS
Exploits0References3
NVD
NVD
added 2026/07/07 9:17 p.m.9 views

CVE-2026-53730

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/datasetData/previewSql endpoint lacks the mandatory @DePermit permission validation annotation, allowing any authenticated user to specify datasourceId=-1, access the built-in engine database, execute...

8.7CVSS0.00235EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/07 8:41 p.m.28 views

CVE-2026-50530 DataEase: Token with Overly Broad Privileges in Share Mode: Access to Unshared Datasets

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing...

7.1CVSS0.00238EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/07 8:41 p.m.5 views

CVE-2026-50530

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing...

7.1CVSS6AI score0.00238EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/07/07 8:41 p.m.20 views

CVE-2026-50530

DataEase prior to version 2.10.24 exposes a vulnerability in the share mode chart data interface. The API path POST /de2api/chartData/getData only validates that sceneId matches the resourceId in the link token and does not verify whether tableId and field IDs in the request body belong to the sh...

7.1CVSS6AI score0.00238EPSS
Exploits0References3
OSV
OSV
added 2026/07/07 8:41 p.m.6 views

CVE-2026-50530 DataEase: Token with Overly Broad Privileges in Share Mode: Access to Unshared Datasets

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing...

7.1CVSS6AI score0.00238EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/07 8:39 p.m.31 views

CVE-2026-50529 DataEase: Link Token Leakage Prior to Share Password/Ticket Validation

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket, allowing unauthenticated attackers who know a protected share UUID to obtain a valid...

8.7CVSS0.00285EPSS
Exploits0References3
Rows per page
Query Builder