VYPR

Dataease

by Dataease

Source repositories

CVEs (72)

  • CVE-2026-33122CriApr 16, 2026
    risk 0.57cvss 9.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the…

  • CVE-2026-33082CriApr 16, 2026
    risk 0.57cvss 9.8epss 0.00

    DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and…

  • CVE-2026-40901HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.01

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the…

  • CVE-2026-40900HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single…

  • CVE-2026-33207HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly…

  • CVE-2026-33121HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL…

  • CVE-2026-33084HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the sort parameter of the /de2api/datasetData/enumValueObj endpoint. The DatasetDataManage service layer directly transfers the user-supplied…

  • CVE-2026-33083HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and…

  • CVE-2026-40899MedApr 16, 2026
    risk 0.35cvss 6.5epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter…

  • CVE-2026-8724MedMay 17, 2026
    risk 0.31cvss 4.7epss 0.00

    A security flaw has been discovered in Dataease 2.10.20. Impacted is the function SqlparserUtils.transFilter of the file SqlparserUtils.java of the component Data Dashboard. The manipulation results in sql injection. The attack may be launched remotely. The exploit has been…

  • CVE-2024-30269Apr 8, 2024
    risk 0.10cvss epss 0.16

    DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned.…

  • CVE-2024-47073Nov 7, 2024
    risk 0.04cvss epss 0.01

    DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions a the lack of signature verification of jwt tokens allows attackers to forge jwts which then allow access to any…

  • CVE-2025-49002Jun 3, 2025
    risk 0.02cvss epss 0.42

    DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability…

  • CVE-2024-46997Sep 23, 2024
    risk 0.02cvss epss 0.01

    DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, an attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string. The vulnerability has been fixed in v2.10.1.

  • CVE-2025-57772Aug 25, 2025
    risk 0.01cvss epss 0.08

    DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If the JDBC URL meets criteria, the getJdbcUrl method is returned, which acts as the getter for the JdbcUrl parameter provided. This…

  • CVE-2025-57773Aug 25, 2025
    risk 0.01cvss epss 0.07

    DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, because DB2 parameters are not filtered, a JNDI injection attack can be directly launched. JNDI triggers an AspectJWeaver deserialization attack, writing to various files.…

  • CVE-2025-49001Jun 3, 2025
    risk 0.01cvss epss 0.19

    DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds…

  • CVE-2023-33963Jun 1, 2023
    risk 0.01cvss epss 0.01

    DataEase is an open source data visualization and analysis tool. Prior to version 1.18.7, a deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The vulnerability has been fixed in v1.18.7. There are no known…

  • CVE-2026-32939Mar 20, 2026
    risk 0.00cvss epss 0.00

    DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale,…

  • CVE-2026-32140Mar 12, 2026
    risk 0.00cvss epss 0.01

    Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC driver to load an attacker-controlled configuration file. This configuration file can inject dangerous JDBC properties, leading to…

Page 1 of 4