CVE-2026-32939HIGH 8.1EPSS p35.5%

CVE-2026-32939CVE-2026-32939

Description

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.45% probability of exploitation · percentile 35.5% · 2026-06-18T12:00:27Z
Published2026-03-20
Last modified2026-03-23

Underlying weaknesses· 1

CWE-178

References

  1. https://github.com/dataease/dataease/commit/8f1c21834a620d37dafb3fa24605c059d0a5b80d
  2. https://github.com/dataease/dataease/releases/tag/v2.10.20
  3. https://github.com/dataease/dataease/security/advisories/GHSA-pj7p-3m49-52qq

1

TypeTargetConfidenceTier
WeaknessImproper Handling of Case Sensitivitycwe-1780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-57772
CVE
CVE-2025-49003
CVE
CVE-2025-62420
CVE
CVE-2026-33207
CVE
CVE-2025-48999
CVE
CVE-2025-49002
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.