Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable preview endpoint with low complexity but requires a low-privilege authenticated account (PR:L); read-only data disclosure gives C:H with I:N and A:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase SQL preview exposes DatasetDataApi.previewSql/previewSqlCheck through /de2api/datasetData/previewSql, accepts PreviewSqlDTO.sql, PreviewSqlDTO.datasourceId, and PreviewSqlDTO.isCross, then DatasetDataManage.previewSql stores decoded SQL in datasourceRequest.query and CalciteProvider.fetchResultField executes it with prepareStatement(...).executeQuery(), allowing arbitrary readable datasource tables to be queried and returned in preview responses. This issue is fixed in version 2.10.23.
AnalysisAI
Arbitrary SQL read access in DataEase before 2.10.23 lets authenticated users abuse the SQL preview feature (/de2api/datasetData/previewSql) to run attacker-supplied queries against any configured datasource. Because DatasetDataManage.previewSql passes the decoded PreviewSqlDTO.sql straight into datasourceRequest.query and CalciteProvider.fetchResultField executes it via prepareStatement().executeQuery(), an attacker can read any table the datasource account can access and receive the rows in the preview response. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated DataEase account (CVSS PR:L) with the ability to reach the SQL preview feature at /de2api/datasetData/previewSql and at least one configured datasource whose datasourceId the attacker can supply in PreviewSqlDTO. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, base 7.1) describes a network-reachable, low-complexity attack that requires low-level privileges (PR:L) and yields high confidentiality impact but no integrity or availability impact - consistent with a read-only data exfiltration flaw rather than full RCE or data tampering. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privilege authenticated DataEase user (or an attacker who has obtained any valid account) sends a crafted POST to /de2api/datasetData/previewSql with a PreviewSqlDTO whose sql field selects from a sensitive table and a valid datasourceId. DataEase decodes and executes the query via prepareStatement().executeQuery() and returns the rows in the preview response, exfiltrating data outside the user's authorized datasets. … |
| Remediation | Vendor-released patch: upgrade to DataEase 2.10.23, which is the fixed release (https://github.com/dataease/dataease/releases/tag/v2.10.23); the corrective change is in commit 22930a493d900fe3d8084b3dd4c0125abdb2a847, which parameterizes SQL-variable default values via prepared statements in DeSqlparserUtils and SqlparserUtils. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, enumerate all DataEase instances in your environment and verify versions; flag any instances running versions before 2.10.23 as critical priority. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m
Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.
Auth bypass in DataEase BI tool before 2.10.10.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44778