Lucene search
K

6 matches found

ATTACKERKB
ATTACKERKB
added 2026/07/07 8:29 p.m.8 views

CVE-2026-53730

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/datasetData/previewSql endpoint lacks the mandatory @DePermit permission validation annotation, allowing any authenticated user to specify datasourceId=-1, access the built-in engine database, execute...

8.7CVSS6.2AI score0.00235EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/07/07 8:29 p.m.10 views

CVE-2026-53730

CVE-2026-53730 — DataEase : Affected product is DataEase (open source data visualization/analysis tool). Before version 2.10.24, the /de2api/datasetData/previewSql endpoint lacks the mandatory @DePermit permission validation, allowing any authenticated user to specify datasourceId=-1, access the ...

8.7CVSS6.2AI score0.00235EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.6 views

PT-2026-56247

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.24 Description The '/de2api/datasetData/previewSql' endpoint lacks the mandatory @DePermit permission validation annotation. This allows any authenticated user to set the datasourceId variable to -1, granting...

8.7CVSS6.3AI score0.00235EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/06/05 7:14 p.m.12 views

CVE-2026-40900

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement...

8.8CVSS5.9AI score0.00342EPSS
Exploits1References1
OSV
OSV
added 2026/04/16 8:57 p.m.2 views

CVE-2026-40901 DataEase: Quartz Deserialization → Remote Code Execution

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializ...

9CVSS6.4AI score0.0063EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/04/16 8:53 p.m.17 views

CVE-2026-40900 DataEase has SQL Injection via Stacked Queries

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement...

8.7CVSS0.00342EPSS
Exploits1References2
Rows per page
Query Builder