CVE-2026-32137

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Dataease versions prior to 2.10.20

Description Dataease is an open source data visualization analysis tool. The table parameter for the /de2api/datasource/previewData API endpoint is directly concatenated into a SQL statement without filtering or parameterization. Because tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names.

Recommendations Versions prior to 2.10.20 should be updated to version 2.10.20 or later.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2026-32137

GHSA-VGM2-269H-8624

Affected Products

Dataease

CVE-2026-32137

Weakness Enumeration

Related Identifiers

Affected Products

References · 7