PatchSiren cyber security CVE debrief
CVE-2026-50124 dataease CVE debrief
CVE-2026-50124 is a high-severity vulnerability in DataEase, an open-source data visualization tool. The issue allows for arbitrary code execution via a crafted payload uploaded through the Excel upload API. This vulnerability was fixed in version 2.10.23. Affected users should apply the patch immediately. The vulnerability arises from insufficient validation of uploaded files and improper use of the zip: protocol in H2 datasources.
- Vendor
- dataease
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-17
Who should care
Users of DataEase versions prior to 2.10.23 should apply the patch immediately. Security teams monitoring open-source data visualization tools should prioritize this fix. IT teams responsible for data visualization and analysis tools should review their deployments and apply the necessary updates.
Technical summary
The vulnerability in DataEase arises from the /datasource/upload API, which allows uploading a payload.zip file. By creating an H2 datasource using the zip: protocol and executing an SQL dataset path, an attacker can cause precompiled Java aliases in test.mv.db to execute arbitrary code. This issue is addressed in version 2.10.23. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.
Defensive priority
High priority due to CVSS score of 7.1 and potential for code execution.
Recommended defensive actions
- Apply the patch by upgrading to DataEase version 2.10.23 or later
- Restrict access to the /datasource/upload API
- Monitor for suspicious uploads and datasource creations
- Implement additional security controls around Java alias execution
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-15T20:17:13.370Z and last modified on 2026-07-17T13:18:54.510Z. The NVD entry is currently Deferred. The vulnerability affects DataEase versions prior to 2.10.23. Users should verify their deployments and apply the patch or mitigations accordingly. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T20:17:13.370Z and has not been modified since then. The NVD entry is currently Deferred.