Lucene search
+L

782 matches found

CVE
CVE
added 2026/07/07 8:27 p.m.15 views

CVE-2026-55633

DataEase CVE-2026-55633 affects the DataEase open-source data visualization tool prior to version 2.10.24. The issue arises from a bypass of the H2 zip protocol and file dropper fix, enabling an authenticated attacker to upload a zip archive disguised with a .ttf extension via FontManage.saveFile...

8.7CVSS6.3AI score0.00501EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/07 8:27 p.m.6 views

CVE-2026-55633

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a bypass of the H2 zip protocol and file dropper fix allows an authenticated attacker to upload a zip archive disguised with a .ttf extension through FontManage.saveFile and then exploit it through the zip protocol...

8.7CVSS6.3AI score0.00501EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/07/07 8:27 p.m.6 views

CVE-2026-55633 DataEase H2 RCE via Zip Protocol & File Dropper Fix bypass

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a bypass of the H2 zip protocol and file dropper fix allows an authenticated attacker to upload a zip archive disguised with a .ttf extension through FontManage.saveFile and then exploit it through the zip protocol...

8.7CVSS6.3AI score0.00501EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/07 8:24 p.m.31 views

CVE-2026-55631 DataEase: Path Traversal Leading to Arbitrary File Deletion via Font Management

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the font management module allows authenticated users to submit an arbitrary fileTransName when creating a font record; when the record is later deleted, the backend concatenates that stored value with the font...

7.2CVSS0.00313EPSS
Exploits0References3
CVE
CVE
added 2026/07/07 8:24 p.m.15 views

CVE-2026-55631

DataEase exposes a path-traversal flaw in the font management module prior to version 2.10.24. Authenticated users could submit an arbitrary fileTransName when creating a font record; on deletion, the stored value is concatenated with the font storage directory and passed to FileUtils.deleteFile(...

7.2CVSS6.1AI score0.00313EPSS
Exploits0References3
OSV
OSV
added 2026/07/07 8:24 p.m.7 views

CVE-2026-55631 DataEase: Path Traversal Leading to Arbitrary File Deletion via Font Management

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the font management module allows authenticated users to submit an arbitrary fileTransName when creating a font record; when the record is later deleted, the backend concatenates that stored value with the font...

7.2CVSS6.1AI score0.00313EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/07 8:23 p.m.28 views

CVE-2026-53729 DataEase ExportCenter IDOR allows cross-user export task access

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, any authenticated user can download /exportCenter/download/id, delete /exportCenter/delete, retry /exportCenter/retry/id, or generate download links /exportCenter/generateDownloadUri/id for export tasks belonging t...

8.7CVSS0.00391EPSS
Exploits0References3
CVE
CVE
added 2026/07/07 8:23 p.m.9 views

CVE-2026-53729

DataEase (open source data visualization/analysis tool) contains an IDOR in the ExportCenter area. Before version 2.10.24, an authenticated user could manipulate the task ID to download, delete, retry, or generate download links for export tasks belonging to other users; additionally, the /export...

8.7CVSS5.9AI score0.00391EPSS
Exploits0References3
OSV
OSV
added 2026/07/07 8:23 p.m.7 views

CVE-2026-53729 DataEase ExportCenter IDOR allows cross-user export task access

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, any authenticated user can download /exportCenter/download/id, delete /exportCenter/delete, retry /exportCenter/retry/id, or generate download links /exportCenter/generateDownloadUri/id for export tasks belonging t...

8.7CVSS5.9AI score0.00391EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.9 views

PT-2026-56253

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.24 Description Dashboard text components render stored content using Vue v-html without server-side HTML sanitization. This allows an authenticated user with permissions to edit dashboard component data to injec...

5.1CVSS6.2AI score0.00269EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.7 views

PT-2026-56245

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.24 Description A share mode chart data interface fails to validate whether the tableId and field IDs provided in the request body belong to the shared resource. It only verifies that the sceneId matches the...

7.1CVSS6.1AI score0.00238EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.6 views

PT-2026-56247

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.24 Description The '/de2api/datasetData/previewSql' endpoint lacks the mandatory @DePermit permission validation annotation. This allows any authenticated user to set the datasourceId variable to -1, granting...

8.7CVSS6.3AI score0.00235EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.8 views

PT-2026-56252

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.24 Description An authenticated user capable of creating or modifying chart definitions, or submitting chart data requests containing quota filters, can inject SQL into queries executed against configured...

8.7CVSS6.1AI score0.00266EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.10 views

PT-2026-56248

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.24 Description DataEase is an open source data visualization and analysis tool. The H2 database JDBC URL validation logic can be bypassed using special Unicode characters. This occurs because the case-conversion...

8.7CVSS6.2AI score0.00375EPSS
Exploits0References11
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.10 views

CVE-2026-33083

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLOb...

8.8CVSS5.7AI score0.00328EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.15 views

CVE-2026-33122

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from th...

9.8CVSS5.7AI score0.00405EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.8 views

CVE-2026-33082

DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and passed to...

9.8CVSS5.8AI score0.00325EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.12 views

CVE-2026-33121

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple strin...

8.8CVSS5.7AI score0.00328EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:14 p.m.12 views

CVE-2026-40900

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement...

8.8CVSS5.9AI score0.00342EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.9 views

CVE-2026-40901

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializ...

9CVSS6.3AI score0.0063EPSS
Exploits1References1
Rows per page
Query Builder