PT-2026-25034 · Dataease+1 · Dataease
Ray-778
·
Publicado
2026-03-12
·
Atualizado
2026-03-13
·
CVE-2026-32137
CVSS v4.0
9.3
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Dataease versions prior to 2.10.20
Description
Dataease is an open source data visualization analysis tool. The
table parameter for the /de2api/datasource/previewData API endpoint is directly concatenated into a SQL statement without filtering or parameterization. Because tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names.Recommendations
Versions prior to 2.10.20 should be updated to version 2.10.20 or later.
Exploit
Correção
SQL injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Dataease