Skip to main content

DataEase CVE-2026-55631

| EUVDEUVD-2026-42089 HIGH
Path Traversal (CWE-22)
2026-07-07 GitHub_M
7.2
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable module needing only a low-privilege account (PR:L) and no interaction; arbitrary file deletion harms integrity and availability (I:H/A:H) but exposes no data (C:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 22:01 EUVD
Analysis Generated
Jul 07, 2026 - 21:17 vuln.today

DescriptionCVE.org

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the font management module allows authenticated users to submit an arbitrary fileTransName when creating a font record; when the record is later deleted, the backend concatenates that stored value with the font storage directory and passes it to FileUtils.deleteFile() without path traversal sanitization, allowing deletion of arbitrary writable files in the application container. This issue is fixed in version 2.10.24.

AnalysisAI

Arbitrary file deletion in DataEase (open-source data visualization and analytics platform) before 2.10.24 lets authenticated users delete arbitrary writable files inside the application container via a path traversal in the font management module. The stored fileTransName value is concatenated with the font storage directory and passed unsanitized to FileUtils.deleteFile() when a font record is deleted. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege user
Delivery
Create font record with traversal fileTransName
Exploit
Delete the font record
Execution
Backend concatenates path, calls deleteFile()
Impact
Arbitrary writable file deleted (tamper/DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account (CVSS PR:L) able to reach the font management module and create then delete font records; the attacker must supply a malicious fileTransName value at record-creation time, and the arbitrary deletion only fires when that record is subsequently deleted. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N, score 7.2) indicates a remotely reachable, low-complexity attack requiring only low-privilege authentication and no user interaction, with high integrity and availability impact but no confidentiality loss - consistent with an arbitrary file deletion primitive rather than data theft or code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege but authenticated DataEase user creates a font record with a crafted fileTransName containing directory traversal sequences (e.g. '../../..' pointing at a critical writable file), then triggers deletion of that record. …
Remediation Vendor-released patch: upgrade to DataEase 2.10.24, which fixes the path traversal in the font management deletion flow (fix commit 8892a6945b0b7a329a156155270fae58afa895bc). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all DataEase installations to identify versions before 2.10.24; restrict console access to administrative personnel only; enable detailed audit logging of file operations and user activities. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-49003 CRITICAL POC
9.8 Jun 26

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m

CVE-2025-49002 CRITICAL POC
9.8 Jun 03

Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.

CVE-2025-49001 CRITICAL POC
9.8 Jun 03

Auth bypass in DataEase BI tool before 2.10.10.

CVE-2025-53005 CRITICAL POC
9.8 Jul 01

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53004 CRITICAL POC
9.8 Jun 30

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53006 CRITICAL POC
9.8 Jul 02

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2026-23958 CRITICAL POC
9.8 Jan 22

DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack

CVE-2024-46997 CRITICAL POC
9.8 Sep 23

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-37258 CRITICAL POC
9.8 Jul 25

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-33963 CRITICAL POC
9.8 Jun 01

DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-28437 CRITICAL POC
9.8 Mar 25

Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2022-39312 CRITICAL POC
9.8 Oct 25

Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

Share

CVE-2026-55631 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy