5 matches found
CVE-2026-50530
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing...
CVE-2026-50529
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket, allowing unauthenticated attackers who know a protected share UUID to obtain a valid...
CVE-2026-55647
DataEase (open source data visualization/analysis tool) contains an XSS flaw in dashboard text components. Before version 2.10.24, stored content rendered via Vue v-html without server-side sanitization, enabling an authenticated user who can edit dashboard component data to inject HTML with exec...
CVE-2026-57172
DataEase prior to 2.10.24 is affected by a hardcoded default share link signature key in ShareSecretManage. An attacker who can obtain a passwordless share for a resource and user can use the known key to forge linkToken JWTs (link-pwd-fit2cloud), bypass TokenFilter verification, and access backe...
CVE-2026-55631
DataEase exposes a path-traversal flaw in the font management module prior to version 2.10.24. Authenticated users could submit an arbitrary fileTransName when creating a font record; on deletion, the stored value is concatenated with the font storage directory and passed to FileUtils.deleteFile(...