CVE-2026-33122

🔴 Łataj teraz

Wstrzyknięcie SQL w DataEase umożliwia atakującemu wyciąganie informacji z bazy danych.

CVSS

9.8

EPSS

0.0%

Exploit

poc

Vendor

dataease

Opis źródłowy (NVD)

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from the user-submitted configuration is passed to DatasourceSyncManage.createEngineTable, where it is substituted into a CREATE TABLE statement template without any sanitization or identifier escaping. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information. This issue has been fixed in version 2.10.21.

exploit sql-injection Brak patcha

Źródła i daty

Źródło	Wartość
NVD – CVSS	9.8
CISA KEV (aktywnie wykorzystywane)	Nie
FIRST EPSS (prawdopodobieństwo exploita)	0.0%
Opublikowano (NVD)	2026-04-16 20:16:38 UTC
Ostatnia modyfikacja (NVD)	2026-04-20 16:40:39 UTC

Referencje

https://github.com/dataease/dataease/releases/tag/v2.10.21 (security-advisories@github.com) [Product, Release Notes]
https://github.com/dataease/dataease/security/advisories/GHSA-28vg-3hv7-w92f (security-advisories@github.com) [Exploit, Vendor Advisory]