CVE-2026-50124
DataEase: Remote Code Execution (RCE) via Zip Protocol & File Dropper
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase can be exploited by uploading payload.zip through the Excel upload API /datasource/upload, creating an H2 datasource that uses the zip: protocol, and executing an SQL dataset path where CalciteProvider.jdbcFetchResultField calls statement.executeQuery(), causing precompiled Java aliases in test.mv.db to execute arbitrary code. This issue is fixed in version 2.10.23.
| CWE | CWE-434 |
| Vendor | dataease |
| Product | dataease |
| Published | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for dataease dataease
Be the first to know when new unknown vulnerabilities affecting dataease dataease are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
dataease / dataease
< 2.10.23
References
github.com: https://github.com/dataease/dataease/security/advisories/GHSA-cjmg-jqmc-xj5v github.com: https://github.com/dataease/dataease/commit/304104d70e27a97f8909981f56209edc117dc285 github.com: https://github.com/dataease/dataease/commit/a7bffa795cb0ca041dce0effe68479cf3bf13db1 github.com: https://github.com/dataease/dataease/releases/tag/v2.10.23