#VU126339 Improper input validation in DataEase - CVE-2025-48998
Published: April 16, 2026
Vulnerability identifier: #VU126339
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-48998
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
DataEase
DataEase
Software vendor:
DataEase
DataEase
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper input validation in the JDBC connection string construction logic when handling datasource validation requests. A remote user can supply a specially crafted host value to inject malicious JDBC parameters and disclose sensitive information.
The issue affects the MySQL datasource configuration path when urlType is set to hostName.
Remediation
Install security update from vendor's website.