Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
DataEase SQL Injection in Data Visualization and Analytics Platform
CVE-2026-33122
Summary
DataEase versions 2.10.20 and below have a security flaw that allows attackers to access sensitive data in your database. To fix this issue, update to version 2.10.21 or later. If you can't update immediately, restrict access to the /de2api/datasource/update endpoint to prevent attackers from exploiting this vulnerability.
Original title
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definit...
Original description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from the user-submitted configuration is passed to DatasourceSyncManage.createEngineTable, where it is substituted into a CREATE TABLE statement template without any sanitization or identifier escaping. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information. This issue has been fixed in version 2.10.21.
nvd CVSS4.0
8.6
Vulnerability type
CWE-89
SQL Injection
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026