SQL Injection Vulnerability in DataEase Open Source Data Visualization Tool
CVE-2026-45320
8.7HIGH
What is CVE-2026-45320?
DataEase, an open-source data visualization and analysis tool, is susceptible to SQL injection vulnerabilities prior to version 2.10.23. The vulnerability arises when SQL variables, such as ${deptId}, are processed by the SqlparserUtils.transFilter() method. This method allows raw user input to be injected directly into the SQL queries when using non-in and non-between operators. Authenticated users with access to view the dashboard can exploit this weakness to execute unauthorized SQL commands against integrated data sources. This vulnerability has been addressed and fixed in version 2.10.23.
Affected Version(s)
dataease < 2.10.23
