Arbitrary Code Execution in DataEase Tool by DataEase Inc.
CVE-2026-50124

7.1HIGH

Key Information:

Vendor

Dataease

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-50124?

A significant vulnerability has been identified in DataEase, an open-source data visualization and analysis tool. Prior to version 2.10.23, the application is susceptible to exploitation through the Excel upload API located at /datasource/upload. By uploading a specially crafted payload.zip file, an attacker can create an H2 datasource utilizing the zip: protocol. This manipulation allows the execution of arbitrary code via the CalciteProvider.jdbcFetchResultField function, leading to potential unauthorized access and control over affected systems. The issue has been rectified in version 2.10.23.

Affected Version(s)

dataease < 2.10.23

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.