Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable low-complexity API abuse needing an authenticated account (PR:L); deletion of files outside the app's export directory crosses a security boundary (S:C) with destructive availability impact (A:H) and no confidentiality/integrity read impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase export-center deletion can accept path traversal sequences such as ../ in the bulk delete API endpoint and pass attacker-controlled identifiers to ExportCenterManage.delete, allowing recursive deletion of arbitrary server directories through export task cleanup. This issue is fixed in version 2.10.23.
AnalysisAI
Arbitrary directory deletion in DataEase, an open-source data visualization and analysis platform, allows an authenticated user (PR:L) to abuse the export-center bulk delete API by injecting path traversal sequences (../) into task identifiers, which are passed unsanitized to ExportCenterManage.delete and used to recursively delete server directories. All releases prior to 2.10.23 are affected, and the fix in 2.10.23 constrains deletion to identifiers that exist as legitimate export tasks in the database. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated DataEase account with access to the export-center bulk delete API endpoint (CVSS PR:L confirms low but non-zero privileges are needed - this is not unauthenticated). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 base score is 8.3 (High) with vector AV:N/AC:L/AT:N/PR:L/UI:N and impact concentrated on availability (VA:H, SA:H) - consistent with a destructive file-deletion primitive rather than data theft, since confidentiality and integrity are rated N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds any low-privilege DataEase account (or has hijacked one) sends a crafted bulk delete request to the export-center endpoint with a task identifier such as ../../../../var/lib/dataease, causing the server to recursively delete that directory tree under the service account's privileges. By iterating over sensitive paths the attacker can destroy application data, uploaded assets, or other server files, causing denial of service and data loss. … |
| Remediation | Vendor-released patch: upgrade DataEase to version 2.10.23 or later, which adds an existence check (exportTaskMapper.exists) so that FileUtils.deleteDirectoryRecursively and deleteById only run against ids that correspond to a real export task, neutralizing traversal payloads; the release is at https://github.com/dataease/dataease/releases/tag/v2.10.23 and the advisory at https://github.com/dataease/dataease/security/advisories/GHSA-mwr5-hw6p-cqmg. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all DataEase deployments to identify instances running versions prior to 2.10.23; while no public exploit has been identified at time of analysis, the published patch code lowers reverse-engineering barriers and patching should be prioritized. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m
Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.
Auth bypass in DataEase BI tool before 2.10.10.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44781