CVE-2026-55631 in DataEase
Summary
by MITRE • 07/08/2026
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the font management module allows authenticated users to submit an arbitrary fileTransName when creating a font record; when the record is later deleted, the backend concatenates that stored value with the font storage directory and passes it to FileUtils.deleteFile() without path traversal sanitization, allowing deletion of arbitrary writable files in the application container. This issue is fixed in version 2.10.24.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability in DataEase affects versions prior to 2.10.24 and stems from a critical flaw in the font management module that enables authenticated users to manipulate file deletion operations through improper input validation. This represents a classic path traversal vulnerability where user-supplied data is directly concatenated with system paths without adequate sanitization, creating a dangerous attack surface within the application's file system operations.
The technical implementation of this vulnerability occurs when an authenticated user creates a font record and provides an arbitrary TransName value that gets stored in the system. During subsequent deletion operations, the backend processes this stored value by concatenating it with the designated font storage directory path before passing it to the FileUtils.deleteFile() method. This concatenation operation lacks proper path validation or sanitization mechanisms, allowing attackers to craft malicious TransName values that can traverse directories beyond the intended font storage location.
From an operational perspective, this vulnerability presents a severe risk to system integrity as authenticated users can potentially delete any writable file within the application container's filesystem. The impact extends beyond mere data loss since attackers could target critical application files, configuration data, or even log files that might lead to service disruption or further exploitation. The vulnerability essentially provides an attacker with arbitrary file deletion capabilities, which can be leveraged for various malicious activities including system denial of service, data destruction, or as a stepping stone for more sophisticated attacks.
The flaw aligns with CWE-22 Path Traversal and CWE-77 Path Traversal vulnerabilities, both of which are categorized under the broader family of directory traversal issues that have been consistently identified in software security assessments. This vulnerability also maps to ATT&CK technique T1059 Command and Scripting Interpreter and T1486 Data Encrypted for Impact, as it provides an initial access vector that can be combined with other techniques to achieve more destructive outcomes. The authentication requirement reduces the attack surface but does not eliminate the severity since legitimate users with appropriate privileges could be compromised through credential theft or session hijacking.
Organizations using DataEase versions prior to 2.10.24 should immediately implement mitigations including updating to the fixed version 2.10.24, implementing proper input validation for all user-supplied file paths, and establishing robust access controls to minimize the impact of potential privilege escalation attacks. Additional defensive measures could include restricting file system permissions for the application container, monitoring deletion operations for unusual patterns, and implementing automated security scanning to detect similar vulnerabilities in other components of the application stack.