Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class directly assigns the raw user-supplied orderDirection value into the SQL query without any validation or whitelist enforcement, and the value is rendered into the ORDER BY clause via StringTemplate before being executed against the database. An authenticated attacker can inject arbitrary SQL commands through the sorting direction field, enabling time-based blind data extraction and denial of service. This issue has been fixed in version 2.10.21.
Published: 2026-04-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the orderDirection parameter used in dataset-related API endpoints. The application concatenates this raw, user‑supplied value directly into an ORDER BY clause without validation or whitelisting. An authenticated attacker can supply specially crafted input that injects arbitrary SQL statements, enabling time‑based blind data extraction or denial of service through crafted queries. The flaw does not allow arbitrary code execution on the host, but it does provide significant control over the database content and structure.

Affected Systems

DataEase, the open‑source data visualization platform, is affected for all releases version 2.10.20 and earlier. The flaw is present in endpoints such as /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset, where the orderDirection parameter is passed directly to the database. Vulnerable installations can be identified by the absence of the security fix that was released in version 2.10.21.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating a high severity. No EPSS score is available, but the absence of a KEV listing suggests it has not yet been widely exploited in the wild. Exploitation requires authenticated access to the API, and the complexity of injection is low because the application does not perform any sanitization of the orderDirection field. An attacker with the necessary credentials can execute any SQL command permissible under the database user’s privileges, leading to data compromise or disruption of service.

Generated by OpenCVE AI on April 17, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DataEase to version 2.10.21 or later to apply the vendor‑supplied fix for the orderDirection injection.
  • Restrict access to the affected dataset APIs to trusted administrators only, ensuring that only privileged users can supply the orderDirection parameter.
  • If an upgrade is not immediately possible, enforce server‑side input validation or a whitelist that allows only valid ordering values (e.g., ASC or DESC) before the query is constructed.

Generated by OpenCVE AI on April 17, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 16 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease dataease
Vendors & Products Dataease
Dataease dataease

Thu, 16 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class directly assigns the raw user-supplied orderDirection value into the SQL query without any validation or whitelist enforcement, and the value is rendered into the ORDER BY clause via StringTemplate before being executed against the database. An authenticated attacker can inject arbitrary SQL commands through the sorting direction field, enabling time-based blind data extraction and denial of service. This issue has been fixed in version 2.10.21.
Title DataEase has SQL Injection in Order By Clause
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Dataease Dataease
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T19:39:25.443Z

Reserved: 2026-03-17T19:27:06.346Z

Link: CVE-2026-33083

cve-icon Vulnrichment

Updated: 2026-04-16T19:39:18.943Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-16T18:16:45.433

Modified: 2026-04-20T16:35:50.860

Link: CVE-2026-33083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:30:08Z

Weaknesses