CVE-2024-52295

CRITICAL

DataEase < 2.10.2 - Use of Hard-coded Credentials for JWT Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-52295. PoCs published by iSee857.

AI-analyzed exploit summary The repository contains functional exploit code for multiple CVEs, including CVE-2026-22812, which demonstrates a command execution vulnerability in OpenCode. The PoC sends a crafted JSON payload to a session endpoint and executes the 'id' command to verify RCE.

Description

DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has been fixed in v2.10.2.

Exploits (1)

github WORKING POC 40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/DataEase(CVE-2024-52295).py

The repository contains functional exploit code for multiple CVEs, including CVE-2026-22812, which demonstrates a command execution vulnerability in OpenCode. The PoC sends a crafted JSON payload to a session endpoint and executes the 'id' command to verify RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenCode (version not specified)
No auth needed
Prerequisites: Network access to the target · OpenCode service running on the target
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0083
EPSS Percentile 52.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-798
Status published
Products (1)
dataease/dataease < 2.10.2
Published Nov 13, 2024
Tracked Since Feb 18, 2026