SQL Injection in Dataease

CVE-2026-32137

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableNam…

Vulnerability class: SQL Injection

EPSS: 0.001 (22.3th percentile) — read the EPSS interpretation.

Affected products

Dataease — versions < 2.10.20

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/dataease/dataease/security/advisories/GHSA-vgm2-269h-8624 (x_refsource_CONFIRM)