๐Ÿ” CVE Alert

CVE-2026-50124

UNKNOWN 0.0

DataEase: Remote Code Execution (RCE) via Zip Protocol & File Dropper

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase can be exploited by uploading payload.zip through the Excel upload API /datasource/upload, creating an H2 datasource that uses the zip: protocol, and executing an SQL dataset path where CalciteProvider.jdbcFetchResultField calls statement.executeQuery(), causing precompiled Java aliases in test.mv.db to execute arbitrary code. This issue is fixed in version 2.10.23.

CWE CWE-434
Vendor dataease
Product dataease
Published Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for dataease dataease

Be the first to know when new unknown vulnerabilities affecting dataease dataease are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

dataease / dataease
< 2.10.23

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/dataease/dataease/security/advisories/GHSA-cjmg-jqmc-xj5v github.com: https://github.com/dataease/dataease/commit/304104d70e27a97f8909981f56209edc117dc285 github.com: https://github.com/dataease/dataease/commit/a7bffa795cb0ca041dce0effe68479cf3bf13db1 github.com: https://github.com/dataease/dataease/releases/tag/v2.10.23