SQL Injection Vulnerability in DataEase Data Visualization Tool
CVE-2026-55635

8.7HIGH

Key Information:

Vendor

Dataease

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-55635?

DataEase, an open-source data visualization and analysis tool, has a vulnerability that allows authenticated users to embed attacker-controlled filter values into generated SQL queries. This occurs via the Quota2SQLObj.getYWheres() function, where chart quota and Y-axis filters do not adequately validate or escape SQL literals. As a result, an attacker can manipulate SQL queries sent to configured datasources when creating or modifying chart definitions or submitting requests with quota filters. This vulnerability has been addressed in version 2.10.24.

Affected Version(s)

dataease < 2.10.24

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.