CVE-2026-33121

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.21

Description An issue exists in the API datasource saving process where the deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement through simple string replacement without sanitization or escaping. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, allowing for error-based SQL injection to extract database information, such as the MySQL version.

Recommendations Update to version 2.10.21.