CVE-2026-55633
Received Received - Intake

DataEase Remote Code Execution via Malicious Font File

Vulnerability report for CVE-2026-55633, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a bypass of the H2 zip protocol and file dropper fix allows an authenticated attacker to upload a zip archive disguised with a .ttf extension through FontManage.saveFile and then exploit it through the zip protocol to achieve remote code execution. This issue is fixed in version 2.10.24.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dataease dataease to 2.10.24 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects DataEase, an open source data visualization and analysis tool. Before version 2.10.24, there was a security flaw that allowed an authenticated attacker to bypass protections related to the H2 zip protocol and file dropper fix. Specifically, the attacker could upload a zip archive disguised with a .ttf (font) file extension via the FontManage.saveFile function. By exploiting the zip protocol through this disguised file, the attacker could achieve remote code execution on the affected system.

Impact Analysis

This vulnerability can have a severe impact as it allows an authenticated attacker to execute arbitrary code remotely on the affected system. This means the attacker could potentially take full control of the system, leading to data theft, data manipulation, service disruption, or further attacks within the network.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade DataEase to version 2.10.24 or later, where the issue is fixed.

Additionally, restrict authenticated users from uploading files with disguised extensions such as .ttf that could be exploited via the zip protocol.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55633. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart