SQL Injection Vulnerability in DataEase Open Source Tool
CVE-2026-45417

8.7HIGH

Key Information:

Vendor

Dataease

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-45417?

DataEase, an open source data visualization and analysis tool, presents an SQL injection vulnerability whereby the connection status checks improperly handle SQL queries. Specifically, before version 2.10.23, the function concatenates configuration.getSchema() into getTablesSql, leading to unsafe execution of the SQL queries via the executeQuery method. This flaw can be exploited against various database systems, including DB2, SQL Server, and PostgreSQL, if not mitigated.

Affected Version(s)

dataease < 2.10.23

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.