CVE-2026-33122

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.21

Description An issue exists in the API datasource update process where the deTableName field from user-submitted configuration is passed to the createEngineTable() function. This field is substituted into a CREATE TABLE statement template without sanitization or identifier escaping. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection to extract database information via the '/de2api/datasource/update' endpoint.

Recommendations Update to version 2.10.21.