CVE-2026-40900

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.21

Description An issue exists in the '/de2api/datasetData/previewSql' endpoint where user-supplied SQL is wrapped in a subquery without validation to ensure the input is a single SELECT statement. By utilizing a JDBC blocklist bypass to enable allowMultiQueries=true, an authenticated attacker with valid datasource credentials can execute arbitrary stacked SQL statements, including UPDATE and other write operations, resulting in full read and write access to the connected database.

Recommendations Update to version 2.10.21.