SQL Injection Vulnerability in DataEase Analytics Platform
CVE-2026-33083

8.7HIGH

Key Information:

Vendor

Dataease

Status
Dataease
Vendor
CVE Published:
16 April 2026

What is CVE-2026-33083?

DataEase, an open-source data visualization and analytics platform, suffers from a SQL injection vulnerability affecting versions 2.10.20 and below. The vulnerability originates from improper handling of the orderDirection parameter within dataset-related API endpoints, such as /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class incorporates user-supplied input directly into SQL queries without validating or enforcing any restrictions, allowing authenticated attackers to execute arbitrary SQL commands. This flaw can lead to unauthorized data extraction and potential denial of service attacks. The issue has been resolved in version 2.10.21.

Affected Version(s)

dataease < 2.10.21

References

https://github.com/dataease/dataease/security/advisories/...
x_refsource_CONFIRM
https://github.com/dataease/dataease/releases/tag/v2.10.21
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.