V
Scaner-VS
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
CVE-2026-23958
CVE
High

Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as…

CVSS
8.8
High
EPSS
0.00
p37
Published
2026-01-01
Updated
2026-01-01
Description

Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available.

Tags · CWE
Pre-auth
CWE-522
CAPEC-50
CAPEC-102
CAPEC-474
CAPEC-509
CAPEC-551
CAPEC-555
CAPEC-560
CAPEC-561
CAPEC-600
CAPEC-644
CAPEC-645
CAPEC-652
CAPEC-653
Affected products
Dataease < 2.10.19
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Timeline
2026-01-01
Published
2026-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Attack Requirements
AT: N
None
Privileges Required
PR: N
None (N)
User Interaction
UI: N
None (N)
Vulnerable System Confidentiality
VC: H
High (H)
Vulnerable System Integrity
VI: H
High (H)
Vulnerable System Availability
VA: N
None (N)
Subsequent System Confidentiality
SC: N
None (N)
Subsequent System Integrity
SI: N
None (N)
Subsequent System Availability
SA: N
None (N)
Exploit Code Maturity
E: P
Proof-of-Concept
Confidentiality Requirement
CR: X
Not Defined
Integrity Requirement
IR: X
Not Defined
Availability Requirement
AR: X
Not Defined
Modified Attack Vector
MAV: X
Not Defined
Modified Attack Complexity
MAC: X
Not Defined
Modified Attack Requirements
MAT: X
Not Defined
Modified Privileges Required
MPR: X
Not Defined
Modified User Interaction
MUI: X
Not Defined
Modified Vulnerable System Confidentiality
MVC: X
Not Defined
Modified Vulnerable System Integrity
MVI: X
Not Defined
Modified Vulnerable System Availability
MVA: X
Not Defined
Modified Subsequent System Confidentiality
MSC: X
Not Defined
Modified Subsequent System Integrity
MSI: X
Not Defined
Modified Subsequent System Availability
MSA: X
Not Defined
s
S: X
X
au
AU: X
X
r
R: X
X
v
V: X
X
re
RE: X
X
u
U: X
X
Exploit indicators
EPSS
0.005 · p37
Known exploited (KEV)
No
MITRE ATT&CK
Inferred via CAPEC
└ via CAPEC-555 · CWE-522
└ via CAPEC-561 · CWE-522
└ via CAPEC-560 · CWE-522
└ via CAPEC-600 · CWE-522
└ via CAPEC-555 · CWE-522
└ via CAPEC-555 · CWE-522
└ via CAPEC-551 · CWE-522
└ via CAPEC-644 · CWE-522
└ via CAPEC-645 · CWE-522
└ via CAPEC-474 · CWE-522
└ via CAPEC-652 · CWE-522
└ via CAPEC-509 · CWE-522
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
ProductVendorStatus
Tracked
dataease*Tracked