Skip to main content

DataEase CVE-2026-45533

| EUVDEUVD-2026-44781 HIGH
Path Traversal (CWE-22)
2026-07-15 GitHub_M
8.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network-reachable low-complexity API abuse needing an authenticated account (PR:L); deletion of files outside the app's export directory crosses a security boundary (S:C) with destructive availability impact (A:H) and no confidentiality/integrity read impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 21:18 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 20:05 vuln.today
Analysis Generated
Jul 15, 2026 - 20:05 vuln.today
CVE Published
Jul 15, 2026 - 19:39 cve.org
HIGH 8.3

DescriptionCVE.org

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase export-center deletion can accept path traversal sequences such as ../ in the bulk delete API endpoint and pass attacker-controlled identifiers to ExportCenterManage.delete, allowing recursive deletion of arbitrary server directories through export task cleanup. This issue is fixed in version 2.10.23.

AnalysisAI

Arbitrary directory deletion in DataEase, an open-source data visualization and analysis platform, allows an authenticated user (PR:L) to abuse the export-center bulk delete API by injecting path traversal sequences (../) into task identifiers, which are passed unsanitized to ExportCenterManage.delete and used to recursively delete server directories. All releases prior to 2.10.23 are affected, and the fix in 2.10.23 constrains deletion to identifiers that exist as legitimate export tasks in the database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege DataEase account
Delivery
Craft bulk delete request with ../ in task id
Exploit
Bypass path validation in ExportCenterManage.delete
Execution
deleteDirectoryRecursively runs on traversed path
Persist
Recursive deletion of arbitrary server directories
Impact
Data loss and denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated DataEase account with access to the export-center bulk delete API endpoint (CVSS PR:L confirms low but non-zero privileges are needed - this is not unauthenticated). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 base score is 8.3 (High) with vector AV:N/AC:L/AT:N/PR:L/UI:N and impact concentrated on availability (VA:H, SA:H) - consistent with a destructive file-deletion primitive rather than data theft, since confidentiality and integrity are rated N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds any low-privilege DataEase account (or has hijacked one) sends a crafted bulk delete request to the export-center endpoint with a task identifier such as ../../../../var/lib/dataease, causing the server to recursively delete that directory tree under the service account's privileges. By iterating over sensitive paths the attacker can destroy application data, uploaded assets, or other server files, causing denial of service and data loss. …
Remediation Vendor-released patch: upgrade DataEase to version 2.10.23 or later, which adds an existence check (exportTaskMapper.exists) so that FileUtils.deleteDirectoryRecursively and deleteById only run against ids that correspond to a real export task, neutralizing traversal payloads; the release is at https://github.com/dataease/dataease/releases/tag/v2.10.23 and the advisory at https://github.com/dataease/dataease/security/advisories/GHSA-mwr5-hw6p-cqmg. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all DataEase deployments to identify instances running versions prior to 2.10.23; while no public exploit has been identified at time of analysis, the published patch code lowers reverse-engineering barriers and patching should be prioritized. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-49003 CRITICAL POC
9.8 Jun 26

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m

CVE-2025-49002 CRITICAL POC
9.8 Jun 03

Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.

CVE-2025-49001 CRITICAL POC
9.8 Jun 03

Auth bypass in DataEase BI tool before 2.10.10.

CVE-2025-53005 CRITICAL POC
9.8 Jul 01

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53004 CRITICAL POC
9.8 Jun 30

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53006 CRITICAL POC
9.8 Jul 02

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2026-23958 CRITICAL POC
9.8 Jan 22

DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack

CVE-2024-46997 CRITICAL POC
9.8 Sep 23

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-37258 CRITICAL POC
9.8 Jul 25

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-33963 CRITICAL POC
9.8 Jun 01

DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-28437 CRITICAL POC
9.8 Mar 25

Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2022-39312 CRITICAL POC
9.8 Oct 25

Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

Share

CVE-2026-45533 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy