Path traversal in DataEase - CVE-2026-55631
Published: June 18, 2026
Vulnerability identifier: #VU134829
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-55631
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: DataEase
Affected software:
DataEase
DataEase
Detailed vulnerability description
The vulnerability allows a remote user to delete arbitrary files.
The vulnerability exists due to path traversal in the font management module when deleting a font record with a previously stored user-controlled fileTransName value. A remote user can create a font record with a crafted fileTransName and then delete that record to delete arbitrary files.
Exploitation requires access to the font management APIs and is limited to writable files within the application container.
How to mitigate CVE-2026-55631
Install security update from vendor's website.