SQL Injection Vulnerability in DataEase Data Visualization Platform
CVE-2026-40900

8.7HIGH

Key Information:

Vendor: Dataease
Status: Dataease
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-40900?

The DataEase platform has a SQL injection flaw in the /de2api/datasetData/previewSql endpoint. This vulnerability allows attackers to execute unauthorized SQL statements due to insufficient validation of user-supplied input. When combined with a JDBC blocklist bypass that permits multiple queries, an attacker can escape the controlled subquery context and run arbitrary SQL commands, including potentially harmful write operations, provided they possess valid datasource credentials. This access enables full read and write capabilities against the underlying database. The issue has been resolved in version 2.10.21, making it critical for users to update their installations.

Affected Version(s)

dataease < 2.10.21

References

https://github.com/dataease/dataease/security/advisories/...

x_refsource_CONFIRM

https://github.com/dataease/dataease/releases/tag/v2.10.21

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40900 Data

JSON

Dataease

What is CVE-2026-40900?

Affected Version(s)

References

CVSS V4

Timeline