CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53006 – Dataease PostgreSQL & Redshift Data Source JDBC Connection Parameters Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2025-53006
02 Jul 2025 — DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, in both PostgreSQL and Redshift, apart from parameters like "socketfactory" and "socketfactoryarg", there are also "sslfactory" and "sslfactoryarg" with similar functionality. The difference lies in that "sslfactory" and related parameters need to be triggered after establishing the connection. Other similar parameters include "sslhostnameverifier", "sslpasswordcallback", and "authenticationPluginClassNam... • https://github.com/dataease/dataease/security/advisories/GHSA-q726-5pr9-x7gm • CWE-153: Improper Neutralization of Substitution Characters •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53005 – Dataease PostgreSQL Data Source JDBC Connection Parameters Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2025-53005
01 Jul 2025 — DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, there is a bypass vulnerability in Dataease's PostgreSQL Data Source JDBC Connection Parameters. The sslfactory and sslfactoryarg parameters could trigger a bypass vulnerability. This issue has been patched in version 2.10.11. • https://github.com/dataease/dataease/security/advisories/GHSA-99c4-h4fq-r23v • CWE-153: Improper Neutralization of Substitution Characters •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53004 – Dataease Redshift Data Source JDBC Connection Parameters Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2025-53004
30 Jun 2025 — DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, there is a bypass vulnerability in Dataease's Redshift Data Source JDBC Connection Parameters. The sslfactory and sslfactoryarg parameters could trigger a bypass vulnerability. This issue has been patched in version 2.10.11. • https://github.com/dataease/dataease/security/advisories/GHSA-mfg2-qr5c-99pp • CWE-153: Improper Neutralization of Substitution Characters •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49003 – Dataease H2 JDBC Connection Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-49003
26 Jun 2025 — DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor may take advantage of a feature in Java in which the character "ı" becomes "I" when converted to uppercase, and the character "ſ" becomes "S" when converted to uppercase. A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. The vulnerability has been fixed in v2.10.11. No known workarounds are available. • https://github.com/dataease/dataease/security/advisories/GHSA-x97w-69ff-r55q • CWE-153: Improper Neutralization of Substitution Characters •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49002 – Dataease H2 Database Remote Code Execution (RCE) Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2025-49002
03 Jun 2025 — DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability has been fixed in v2.10.10. No known workarounds are available. • https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49001 – Dataease Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2025-49001
03 Jun 2025 — DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds are available. • https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r • CWE-287: Improper Authentication •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48999 – Dataease Redshift Data Source JDBC Connection Parameters Not Verified Leads to RCE Vulnerability
https://notcve.org/view.php?id=CVE-2025-48999
03 Jun 2025 — DataEase is an open source business intelligence and data visualization tool. A bypass of CVE-2025-46566's patch exists in versions prior to 2.10.10. In a malicious payload, `getUrlType()` retrieves `hostName`. Since the judgment statement returns false, it will not enter the if statement and will not be filtered. The payload can be directly concatenated at the replace location to construct a malicious JDBC statement. • https://github.com/dataease/dataease/commit/03b18db8a0fb7e9dc2c44f6d26d8c6221b7748c4 • CWE-284: Improper Access Control CWE-923: Improper Restriction of Communication Channel to Intended Endpoints •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48998 – Dataease MYSQL JDBC File Reading Vulnerability
https://notcve.org/view.php?id=CVE-2025-48998
03 Jun 2025 — DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass of the patch for CVE-2025-27103 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.10. No known workarounds are available. • https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46566 – Dataease redshift JDBC Connection Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-46566
01 May 2025 — DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.9, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.9. • https://github.com/dataease/dataease/security/advisories/GHSA-hxw4-vpfp-frgv • CWE-284: Improper Access Control CWE-923: Improper Restriction of Communication Channel to Intended Endpoints •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32966 – Dataease H2 JDBC Connection Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-32966
23 Apr 2025 — DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.8, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.8. • https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 • CWE-290: Authentication Bypass by Spoofing •