Description
A security flaw has been discovered in Dataease 2.10.20. Impacted is the function SqlparserUtils.transFilter of the file SqlparserUtils.java of the component Data Dashboard. The manipulation results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
Published: 2026-05-17
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dataease 2.10.20 contains a flaw in the SqlparserUtils.transFilter method which allows an attacker to inject malformed SQL directly into queries executed by the Data Dashboard component. This creates a traditional SQL injection vector that can expose, alter or delete data contained in the database. The CVSS score of 5.1 indicates a moderate severity and confirms that the vulnerability can be exploited without requiring privileged local access.

Affected Systems

The single affected platform is Dataease, specifically the 2.10.20 release. No additional versions or variants are listed.

Risk and Exploitability

The exploit is publicly available and can be launched remotely, likely through a request to the Data Dashboard service. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, but the combination of remote access and SQL injection still poses a moderate threat. An attacker who can reach the dashboard can execute arbitrary database statements against the underlying Dataease data store.

Generated by OpenCVE AI on May 17, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dataease to a version that contains the fixed SqlparserUtils implementation.
  • Validate and sanitize all input that reaches the transFilter method, ensuring that only strictly defined filters are allowed and that parameterized queries are used.
  • Restrict network access to the Dataease dashboard, for example by limiting inbound connections to trusted IP ranges or placing the service behind a VPN.

Generated by OpenCVE AI on May 17, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Dataease 2.10.20. Impacted is the function SqlparserUtils.transFilter of the file SqlparserUtils.java of the component Data Dashboard. The manipulation results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
Title Dataease Data Dashboard SqlparserUtils.java SqlparserUtils.transFilter sql injection
First Time appeared Dataease
Dataease dataease
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
Vendors & Products Dataease
Dataease dataease
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dataease Dataease
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T00:30:10.259Z

Reserved: 2026-05-16T09:35:03.939Z

Link: CVE-2026-8724

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T02:16:45.127

Modified: 2026-05-17T02:16:45.127

Link: CVE-2026-8724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T02:30:36Z

Weaknesses