CVE-2026-33083HIGH 8.8EPSS p24.5%

CVE-2026-33083CVE-2026-33083

Description

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class directly assigns the raw user-supplied orderDirection value into the SQL query without any validation or whitelist enforcement, and the value is rendered into the ORDER BY clause via StringTemplate before being executed against the database. An authenticated attacker can inject arbitrary SQL commands through the sorting direction field, enabling time-based blind data extraction and denial of service. This issue has been fixed in version 2.10.21.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.33% probability of exploitation · percentile 24.5% · 2026-06-19T12:03:05Z
Published2026-04-16
Last modified2026-04-20

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/dataease/dataease/releases/tag/v2.10.21
  2. https://github.com/dataease/dataease/security/advisories/GHSA-f443-95cf-m837
  3. https://github.com/dataease/dataease/security/advisories/GHSA-f443-95cf-m837

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33084
CVE
CVE-2026-33082
CVE
CVE-2026-33207
CVE
CVE-2026-33122
CVE
CVE-2026-40900
CVE
CVE-2026-33121
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.