CVE-2026-33084

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.21

Description An authenticated attacker can perform time-based blind SQL injection. The issue occurs because the DatasetDataManage service layer transfers user-supplied values to the sorting metadata DTO, which is then passed to Order2SQLObj and incorporated into the SQL ORDER BY clause without whitelist validation before execution via CalciteProvider. The affected API endpoint is '/de2api/datasetData/enumValueObj' and the vulnerable parameter is sort.

Recommendations Update to version 2.10.21. Avoid using the parameter sort in the '/de2api/datasetData/enumValueObj' endpoint as a temporary mitigation.