CVE-2026-45419 in DataEaseinfo

Summary

by MITRE • 07/15/2026

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase template saves call TemplateManageService#save, StaticResourceServer#saveFilesToServe, and the /de2api/templateManage/save endpoint with attacker-controlled staticResource names and Base64 content, allowing path traversal and arbitrary file writes because only / was used when extracting the file name. This issue is fixed in version 2.10.23.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability identified in DataEase versions prior to 2.10.23 represents a critical path traversal and arbitrary file write flaw that directly impacts the application's security posture. This weakness exists within the template management functionality, specifically in three key components: TemplateManageService#save, StaticResourceServer#saveFilesToServe, and the /de2api/templateManage/save endpoint. The vulnerability stems from insufficient input validation and improper file name extraction mechanisms that only utilize the forward slash character as a delimiter when processing static resource names. This design flaw allows attackers to manipulate file paths through carefully crafted Base64 encoded content, enabling them to write files to arbitrary locations on the server filesystem.

The technical exploitation of this vulnerability follows a path traversal pattern where attacker-controlled input bypasses normal file system restrictions. When the application processes template saves, it extracts filenames by splitting on forward slashes without proper sanitization or validation of the resulting path components. This creates an opportunity for attackers to include directory traversal sequences such as ../ or ..\ in their Base64 encoded payloads, effectively allowing them to navigate outside the intended target directories. The combination of attacker-controlled static resource names and Base64 content provides multiple attack vectors for crafting malicious inputs that can ultimately result in arbitrary file creation or modification on the server.

From an operational impact perspective, this vulnerability exposes DataEase installations to severe security risks including potential remote code execution, data exfiltration, and system compromise. Attackers could leverage this flaw to upload malicious files such as web shells, backdoors, or other harmful payloads that would persist on the server and provide ongoing access to attackers. The vulnerability affects the core template management functionality which is typically accessible through authenticated user sessions, meaning that even unprivileged users with template management permissions could potentially exploit this issue. This represents a significant concern for organizations using DataEase for business intelligence and data visualization, as it could lead to unauthorized access to sensitive analytical data and underlying system resources.

The remediation implemented in version 2.10.23 addresses the root cause by properly validating and sanitizing file names extracted from attacker-controlled inputs. This fix aligns with established security best practices and follows the principles outlined in CWE-22 Path Traversal vulnerability classification, which emphasizes the importance of input validation and proper path handling to prevent unauthorized access to system resources. Organizations should prioritize upgrading to version 2.10.23 or later to mitigate this risk, while also implementing additional monitoring for unusual template save activities and file system changes that could indicate exploitation attempts. The vulnerability demonstrates the critical importance of proper input validation in web applications, particularly when dealing with file operations and user-supplied content, as highlighted by ATT&CK technique T1059 Command and Scripting Interpreter which encompasses various methods attackers use to execute malicious code through compromised applications.

Responsible

GitHub M

Reservation

05/12/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!