CVE-2026-32939

Name of the Vulnerable Software and Affected Versions DataEase versions 2.10.19 and below

Description DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below exhibit inconsistent locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit locale, relying on the JVM's default runtime locale for security checks, while H2 JDBC normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr TR), Java converts the lowercase letter 'i' to 'İ' (dotted capital I) instead of 'I', allowing a malicious parameter like iNIT to bypass DataEase's blacklist while H2 correctly interprets it as INIT. This discrepancy enables attackers to smuggle dangerous JDBC parameters past DataEase's security validation. The issue has been confirmed as exploitable in real-world DataEase deployments running under affected regional settings.

Recommendations Update DataEase to version 2.10.20 or later.