Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Dataease SQL Injection Vulnerability: Table Name Manipulation
CVE-2026-32137
Summary
Dataease's open source data visualization tool was vulnerable to a SQL injection attack, allowing attackers to manipulate database tables. This could have led to unauthorized data access or modification. Update to version 2.10.20 to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| dataease | dataease | <= 2.10.20 | – |
Original title
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any fil...
Original description
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names. This vulnerability is fixed in 2.10.20.
nvd CVSS4.0
9.3
Vulnerability type
CWE-89
SQL Injection
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026