SQL Injection Vulnerability in DataEase Data Visualization Tool
CVE-2026-55635
8.7HIGH
What is CVE-2026-55635?
DataEase, an open-source data visualization and analysis tool, has a vulnerability that allows authenticated users to embed attacker-controlled filter values into generated SQL queries. This occurs via the Quota2SQLObj.getYWheres() function, where chart quota and Y-axis filters do not adequately validate or escape SQL literals. As a result, an attacker can manipulate SQL queries sent to configured datasources when creating or modifying chart definitions or submitting requests with quota filters. This vulnerability has been addressed in version 2.10.24.
Affected Version(s)
dataease < 2.10.24
