Description
DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and passed to WhereTree2Str.transFilterTrees for SQL translation, where user-controlled values in "like" filter terms are directly concatenated into SQL fragments without sanitization. An attacker can inject arbitrary SQL commands by escaping the string literal in the filter value, enabling blind SQL injection through techniques such as time-based extraction of database information. This issue has been fixed in version 2.10.21.
Published: 2026-04-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection (Blind)
Action: Immediate Patch
AI Analysis

Impact

A blind SQL injection flaw exists in the dataset export endpoint of DataEase. The parameter named expressionTree is deserialized into a filtering object and then translated into SQL. User‑controlled values in "like" filter terms are concatenated directly into the SQL statement without proper sanitization, creating a classic injection point identified by CWE‑89. An attacker can escape the string literal within a filter value and inject arbitrary SQL commands, enabling techniques such as time‑based queries to extract database information. The impact is the potential exposure of sensitive data stored in the database and the possibility of further exploitation via data manipulation.

Affected Systems

This vulnerability affects the open‑source DataEase data visualization tool, specifically version 2.10.20 and all prior releases. The issue is fixed in version 2.10.21, so any deployment running v2.10.20 or older is susceptible.

Risk and Exploitability

The flaw carries a high CVSS score of 8.7, indicating substantial severity. The EPSS score is unavailable, so it is treated as unknown. There is no KEV listing, which suggests that widespread public exploitation has not been documented. Because the vulnerable endpoint is a remote HTTP POST, an attacker may craft a malicious expressionTree payload and send a request to /de2api/datasetTree/exportDataset. Whether authentication is required to access this endpoint is not disclosed in the CVE data; it is inferred that successful exploitation would require the attacker to reach the endpoint, potentially by having valid credentials or by exploiting open access. Once the payload reaches the backend, SQL commands can be injected into the database, allowing data extraction or modification.

Generated by OpenCVE AI on April 17, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DataEase to version 2.10.21 or later, which removes the unsanitized SQL concatenation.
  • Restrict access to the /de2api/datasetTree/exportDataset endpoint, limiting it to trusted users or IP ranges.
  • Implement input validation or switch to parameterized queries for the dataset export logic to eliminate concatenated SQL fragments.

Generated by OpenCVE AI on April 17, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 16 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease dataease
Vendors & Products Dataease
Dataease dataease

Thu, 16 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and passed to WhereTree2Str.transFilterTrees for SQL translation, where user-controlled values in "like" filter terms are directly concatenated into SQL fragments without sanitization. An attacker can inject arbitrary SQL commands by escaping the string literal in the filter value, enabling blind SQL injection through techniques such as time-based extraction of database information. This issue has been fixed in version 2.10.21.
Title DataEase: SQL Injection in v2 Dataset Export
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Dataease Dataease
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T18:41:46.111Z

Reserved: 2026-03-17T19:27:06.346Z

Link: CVE-2026-33082

cve-icon Vulnrichment

Updated: 2026-04-16T18:41:42.427Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-16T18:16:45.283

Modified: 2026-04-20T16:34:56.370

Link: CVE-2026-33082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:30:08Z

Weaknesses