Running-elephant CVEs and Security Vulnerabilities

Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (6 CVEs found)

Export CSV

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-70828	1 Running-elephant	1 Datart	2026-02-19	8.8 High
An issue in Datart v1.0.0-rc.3 allows attackers to execute arbitrary code via the url parameter in the JDBC configuration
CVE-2025-70829	1 Running-elephant	1 Datart	2026-02-18	5.7 Medium
An information exposure vulnerability in Datart v1.0.0-rc.3 allows authenticated attackers to access sensitive data via a custom H2 JDBC connection string.
CVE-2025-70830	1 Running-elephant	1 Datart	2026-02-18	9.9 Critical
A Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine of Datart v1.0.0-rc.3 allows authenticated attackers to execute arbitrary code via injecting crafted Freemarker template syntax into the SQL script field.
CVE-2025-56819	2 Datart, Running-elephant	2 Datart, Datart	2025-10-10	9.8 Critical
An issue in Datart v.1.0.0-rc.3 allows a remote attacker to execute arbitrary code via the INIT connection parameter.
CVE-2025-56815	2 Datart, Running-elephant	2 Datart, Datart	2025-10-10	7.1 High
Datart 1.0.0-rc.3 is vulnerable to Directory Traversal in the POST /viz/image interface, since the server directly uses MultipartFile.transferTo() to save the uploaded file to a path controllable by the user, and lacks strict verification of the file name.
CVE-2025-56816	2 Datart, Running-elephant	2 Datart, Datart	2025-10-10	8.8 High
Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. The configuration file handling of the application allows attackers to upload arbitrary YAML files to the config/jdbc-driver-ext.yml path. The application parses this file using SnakeYAML's unsafe load() or loadAs() method without input sanitization. This allows deserialization of attacker-controlled YAML content, leading to arbitrary class instantiation. Under certain conditions, this can be exploited to achieve remote code execution (RCE).

Page 1 of 1.