SQL Injection Vulnerability in DataEase Analytics Platform
CVE-2026-33122

8.6HIGH

Key Information:

Vendor: Dataease
Status: Dataease
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-33122?

DataEase, an open-source data visualization and analytics platform, possesses a SQL injection vulnerability affecting versions 2.10.20 and below. This vulnerability arises during the API datasource update process, specifically when incorporating user-defined table definitions into a CREATE TABLE statement without adequate sanitization. An authenticated attacker exploits this flaw by manipulating the deTableName field, which may facilitate the injection of arbitrary SQL commands. This can lead to unauthorized database access and potential data breaches. Affected users are strongly advised to update their systems to version 2.10.21, where this vulnerability has been resolved.

Affected Version(s)

dataease < 2.10.21

References

https://github.com/dataease/dataease/security/advisories/...

x_refsource_CONFIRM

https://github.com/dataease/dataease/releases/tag/v2.10.21

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33122 Data

JSON

Dataease

What is CVE-2026-33122?

Affected Version(s)

References

CVSS V4

Timeline