Skip to main content

CWE-153

Improper Neutralization of Substitution Characters

5 CVEs Avg CVSS 8.7 MITRE
4
CRITICAL
0
HIGH
1
MEDIUM
0
LOW
5
POC
0
KEV

Monthly

CVE-2026-9694 MEDIUM POC PATCH This Month

Content injection via Service Desk email template processing in GitLab CE/EE allows an unauthenticated attacker to impersonate the GitLab Support Bot and inject arbitrary content into issue threads. The vulnerability affects all GitLab instances running versions from 15.9 through 19.0.1 with the Service Desk feature active, and stems from improper neutralization of substitution characters (CWE-153) in email template rendering. A publicly available exploit exists on HackerOne, though no active exploitation has been confirmed by CISA KEV; the official CVSS score of 2.6 reflects the high attack complexity and limited integrity-only impact.

Gitlab Code Injection
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53006 CRITICAL POC PATCH Act Now

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

Information Disclosure PostgreSQL Dataease
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-53005 CRITICAL POC PATCH Act Now

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

Authentication Bypass PostgreSQL Dataease
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-53004 CRITICAL POC PATCH Act Now

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

Authentication Bypass Dataease
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49003 CRITICAL POC PATCH Act Now

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor may take advantage of a feature in Java in which the character "ı" becomes "I" when converted to uppercase, and the character "ſ" becomes "S" when converted to uppercase. A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. The vulnerability has been fixed in v2.10.11. No known workarounds are available.

RCE Java Dataease
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Content injection via Service Desk email template processing in GitLab CE/EE allows an unauthenticated attacker to impersonate the GitLab Support Bot and inject arbitrary content into issue threads. The vulnerability affects all GitLab instances running versions from 15.9 through 19.0.1 with the Service Desk feature active, and stems from improper neutralization of substitution characters (CWE-153) in email template rendering. A publicly available exploit exists on HackerOne, though no active exploitation has been confirmed by CISA KEV; the official CVSS score of 2.6 reflects the high attack complexity and limited integrity-only impact.

Gitlab Code Injection
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

Information Disclosure PostgreSQL Dataease
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

Authentication Bypass PostgreSQL Dataease
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

Authentication Bypass Dataease
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor may take advantage of a feature in Java in which the character "ı" becomes "I" when converted to uppercase, and the character "ſ" becomes "S" when converted to uppercase. A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. The vulnerability has been fixed in v2.10.11. No known workarounds are available.

RCE Java Dataease
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy