CVE-2026-50530
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sce
CVSS
—
No CVSS
EPSS
0.2%
p15
KEV
—
Exploit Today
4
0-100
Published: Jul 7, 2026 · Last modified: Jul 8, 2026 · CWE-639
0.2%EPSS · 30 days0.2%
2026-07-082026-07-18
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing an attacker with a valid share link token to replace dataset identifiers and retrieve unauthorized data through POST /de2api/chartData/getData. This issue is fixed in version 2.10.24.
- github.comhttps://github.com/dataease/dataease/commit/c4e85a981e53c95b1ea73757db31e3025efdc410
- github.comhttps://github.com/dataease/dataease/releases/tag/v2.10.24
- github.comhttps://github.com/dataease/dataease/security/advisories/GHSA-qcf4-345v-6vg9
- github.comhttps://github.com/dataease/dataease/security/advisories/GHSA-qcf4-345v-6vg9
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-552558.4 HIG42.8%
KEV—63Langflow Authorization Bypass Through User-Controlled Key Vulnerability10dCVE-2021-464168.1 HIG89.9%
——27Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling.5dCVE-2022-289867.5 HIG80.9%
——24LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: 2021072900 has an Insecure direct object references (IDOR) vulnerability, which allows remote attackers to update sensitive records such as email, password and phone number of other user accounts.10dCVE-2020-234465.3 MED65.5%
——20Verint Workforce Optimization suite 15.1 (15.1.0.37634) has Unauthenticated Information Disclosure via API10dCVE-2021-33806.5 MED61.5%
——18Insecure direct object reference (IDOR) vulnerability in ICREM H8 SSRMS allows attackers to disclose sensitive information via the Print Invoice Functionality.10dCVE-2022-362029.8 CRI51.5%
——15Doctor's Appointment System1.0 is vulnerable to Incorrect Access Control via edoc/patient/settings.php. The settings.php is affected by Broken Access Control (IDOR) via id= parameter.10d