SQL Injection Vulnerability in DataEase Open-Source Analytics Platform
CVE-2026-33121

8.7HIGH

Key Information:

Vendor: Dataease
Status: Dataease
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-33121?

DataEase, an open-source data visualization and analytics platform, is exposed to a SQL injection vulnerability affecting versions 2.10.20 and below. This vulnerability arises during the API datasource saving process, where the deTableName field in the Base64-encoded datasource configuration is utilized to construct a Data Definition Language (DDL) statement without proper sanitization or escaping. As a result, an authenticated attacker can manipulate the deTableName to inject arbitrary SQL commands, potentially extracting sensitive database information such as MySQL version details. To mitigate this risk, users are advised to upgrade to version 2.10.21 or later, where the vulnerability has been addressed.

Affected Version(s)

dataease < 2.10.21

References

https://github.com/dataease/dataease/security/advisories/...

x_refsource_CONFIRM

https://github.com/dataease/dataease/releases/tag/v2.10.21

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33121 Data

JSON

Dataease

What is CVE-2026-33121?

Affected Version(s)

References

CVSS V4

Timeline