Datart is susceptible to a critical Server-Side Template Injection vulnerability that allows authenticated users to execute remote code through the SQL script field.

An authenticated attacker can inject malicious Freemarker template syntax into the SQL script field of the application. Because the engine does not properly sanitize this input, it executes the injected code on the server hosting the Datart application.

A successful SSTI attack allows an attacker to execute arbitrary code with the permissions of the application server. With a CVSS score of 9.9, this vulnerability poses a catastrophic risk to data confidentiality and system integrity, potentially leading to a full database or server breach.

Immediate Action: Update Datart to the latest available version that includes patches for Freemarker template injection.

Proactive Monitoring: Inspect SQL script logs for unusual template syntax (e.g., ${...}) and monitor the server for unauthorized outbound network connections or shell activity.

Compensating Controls: Implement strict input validation and use a security manager to restrict the capabilities of the Freemarker template engine.

Public Exploit Available: false

The high CVSS score and the potential for remote code execution make this a top-priority fix. Organizations using Datart must apply the necessary updates immediately to protect their data visualization environments from compromise.