Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable module needing only a low-privilege account (PR:L) and no interaction; arbitrary file deletion harms integrity and availability (I:H/A:H) but exposes no data (C:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the font management module allows authenticated users to submit an arbitrary fileTransName when creating a font record; when the record is later deleted, the backend concatenates that stored value with the font storage directory and passes it to FileUtils.deleteFile() without path traversal sanitization, allowing deletion of arbitrary writable files in the application container. This issue is fixed in version 2.10.24.
AnalysisAI
Arbitrary file deletion in DataEase (open-source data visualization and analytics platform) before 2.10.24 lets authenticated users delete arbitrary writable files inside the application container via a path traversal in the font management module. The stored fileTransName value is concatenated with the font storage directory and passed unsanitized to FileUtils.deleteFile() when a font record is deleted. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account (CVSS PR:L) able to reach the font management module and create then delete font records; the attacker must supply a malicious fileTransName value at record-creation time, and the arbitrary deletion only fires when that record is subsequently deleted. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N, score 7.2) indicates a remotely reachable, low-complexity attack requiring only low-privilege authentication and no user interaction, with high integrity and availability impact but no confidentiality loss - consistent with an arbitrary file deletion primitive rather than data theft or code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privilege but authenticated DataEase user creates a font record with a crafted fileTransName containing directory traversal sequences (e.g. '../../..' pointing at a critical writable file), then triggers deletion of that record. … |
| Remediation | Vendor-released patch: upgrade to DataEase 2.10.24, which fixes the path traversal in the font management deletion flow (fix commit 8892a6945b0b7a329a156155270fae58afa895bc). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all DataEase installations to identify versions before 2.10.24; restrict console access to administrative personnel only; enable detailed audit logging of file operations and user activities. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m
Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.
Auth bypass in DataEase BI tool before 2.10.10.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42089