Arbitrary Code Execution in DataEase Tool by DataEase Inc.
CVE-2026-50124
7.1HIGH
What is CVE-2026-50124?
A significant vulnerability has been identified in DataEase, an open-source data visualization and analysis tool. Prior to version 2.10.23, the application is susceptible to exploitation through the Excel upload API located at /datasource/upload. By uploading a specially crafted payload.zip file, an attacker can create an H2 datasource utilizing the zip: protocol. This manipulation allows the execution of arbitrary code via the CalciteProvider.jdbcFetchResultField function, leading to potential unauthorized access and control over affected systems. The issue has been rectified in version 2.10.23.
Affected Version(s)
dataease < 2.10.23
