CVE-2026-33083

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.21

Description An authenticated attacker can inject arbitrary SQL commands through the sorting direction field, enabling time-based blind data extraction and denial of service. The Order2SQLObj class directly assigns the raw user-supplied orderDirection value into the SQL query without validation or whitelist enforcement. This value is rendered into the ORDER BY clause via StringTemplate before execution. The issue affects dataset-related endpoints, including '/de2api/datasetData/enumValueDs' and '/de2api/datasetTree/exportDataset'.

Recommendations Update to version 2.10.21. As a temporary workaround, restrict access to the '/de2api/datasetData/enumValueDs' and '/de2api/datasetTree/exportDataset' endpoints or avoid using the orderDirection parameter until the update is applied.