Dataease · Dataease · CVE-2026-32137
**Name of the Vulnerable Software and Affected Versions**
Dataease versions prior to 2.10.20
**Description**
Dataease is an open source data visualization analysis tool. The `table` parameter for the `/de2api/datasource/previewData` API endpoint is directly concatenated into a SQL statement without filtering or parameterization. Because `tableName` is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names.
**Recommendations**
Versions prior to 2.10.20 should be updated to version 2.10.20 or later.