Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (GitHub_M) · only source for this CVE.
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a bypass of the H2 zip protocol and file dropper fix allows an authenticated attacker to upload a zip archive disguised with a .ttf extension through FontManage.saveFile and then exploit it through the zip protocol to achieve remote code execution. This issue is fixed in version 2.10.24.
AnalysisAI
Remote code execution in DataEase before 2.10.24 allows an authenticated attacker to bypass the prior H2 zip-protocol and file-dropper hardening by uploading a ZIP archive masquerading as a font file (.ttf) via the FontManage.saveFile endpoint, then invoking the H2 database zip protocol against it to execute arbitrary code on the server. The flaw is a regression that defeats an earlier fix, and carries a CVSS 4.0 score of 8.7 (High). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
24 hours: Inventory all DataEase deployments and document current versions; restrict font management privileges to essential administrative accounts; disable FontManage functionality if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m
Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.
Auth bypass in DataEase BI tool before 2.10.10.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42090