SQL Injection Vulnerability in DataEase Open Source Data Visualization Tool
CVE-2026-45320

8.7HIGH

Key Information:

Vendor

Dataease

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-45320?

DataEase, an open-source data visualization and analysis tool, is susceptible to SQL injection vulnerabilities prior to version 2.10.23. The vulnerability arises when SQL variables, such as ${deptId}, are processed by the SqlparserUtils.transFilter() method. This method allows raw user input to be injected directly into the SQL queries when using non-in and non-between operators. Authenticated users with access to view the dashboard can exploit this weakness to execute unauthorized SQL commands against integrated data sources. This vulnerability has been addressed and fixed in version 2.10.23.

Affected Version(s)

dataease < 2.10.23

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.