Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx
X_Refsource_Misc x_refsource_misc
https://github.com/dataease/dataease/releases/tag/v2.10.21
Scores
CVSS v3
8.8
EPSS
0.0034
EPSS Percentile
25.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
dataease/dataease
< 2.10.21 (2 CPE variants)
Published
Apr 16, 2026
Tracked Since
Apr 17, 2026