Description
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names. This vulnerability is fixed in 2.10.20.
Published: 2026-03-12
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

Dataease, an open‑source data visualization tool, contains a classic SQL injection flaw in its /de2api/datasource/previewData endpoint. The tableName query parameter is concatenated directly into an SQL statement with no filtering or parameterization, enabling an attacker to inject arbitrary SQL when providing a crafted table name. This can allow disclosure of sensitive data and, if the attacker writes destructive statements, modification or deletion of database contents. The flaw is classified as CWE‑89.

Affected Systems

The vulnerability affects all Dataease releases prior to version 2.10.20. 2.10.20 and later contain the remediation that parameterizes the SQL query. The API endpoint /de2api/datasource/previewData is the entry point for the vulnerability.

Risk and Exploitability

With a CVSS score of 9.3 the issue is considered critical. The EPSS score is noted as less than 1%, indicating a low probability of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP request to the /de2api/datasource/previewData endpoint. If the endpoint is publicly reachable or an authenticated user can trigger it, the attacker can supply a malicious tableName value to execute arbitrary SQL. The impact scope is full database access, which could compromise confidentiality and integrity of all stored data.

Generated by OpenCVE AI on March 18, 2026 at 15:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Dataease to version 2.10.20 or later to apply the vendor patch that parameterizes the SQL query.
  • If an immediate update is not possible, restrict network access to the /de2api/datasource/previewData endpoint by firewall or application rules so that only authorized users can reach it.
  • Disable or remove the previewData functionality if it is not required for operations.
  • Monitor network traffic and application logs for suspicious requests to the previewData endpoint.
  • Ensure that the database user account used by Dataease has only the minimum privileges required to perform its functions, limiting damage in case of successful exploitation.

Generated by OpenCVE AI on March 18, 2026 at 15:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease dataease
Vendors & Products Dataease
Dataease dataease

Thu, 12 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names. This vulnerability is fixed in 2.10.20.
Title DataEase SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Dataease Dataease
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:23:17.480Z

Reserved: 2026-03-10T22:19:36.546Z

Link: CVE-2026-32137

cve-icon Vulnrichment

Updated: 2026-03-13T16:23:14.311Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T18:16:25.257

Modified: 2026-03-13T16:03:02.080

Link: CVE-2026-32137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:48:40Z

Weaknesses