๐Ÿ” CVE Alert

CVE-2026-53730

UNKNOWN 0.0

DataEase: Unauthorized Access to Engine Database via previewSql Endpoint

CVSS Score
0.0
EPSS Score
0.2%
EPSS Percentile
14th

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/datasetData/previewSql endpoint lacks the mandatory @DePermit permission validation annotation, allowing any authenticated user to specify datasourceId=-1, access the built-in engine database, execute arbitrary SQL statements, and read sensitive core data. This issue is fixed in version 2.10.24.

CWE CWE-862
Vendor dataease
Product dataease
Published Jul 7, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for dataease dataease

Be the first to know when new unknown vulnerabilities affecting dataease dataease are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

dataease / dataease
< 2.10.24

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/dataease/dataease/security/advisories/GHSA-2jmq-vffm-4qmj github.com: https://github.com/dataease/dataease/commit/7b47af38b8fa017c9eecb00a4a49264663189e7b