CVE-2026-32137
HIGHDataease < 2.10.20 - SQL Injection via Table Parameter in Preview Data Endpoint
Title source: llmDescription
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names. This vulnerability is fixed in 2.10.20.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/dataease/dataease/security/advisories/GHSA-vgm2-269h-8624
Scores
CVSS v3
8.8
EPSS
0.0042
EPSS Percentile
33.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
dataease/dataease
< 2.10.20
Published
Mar 12, 2026
Tracked Since
Mar 13, 2026