CVE-2026-33207HIGH 8.8EPSS p26.6%

CVE-2026-33207CVE-2026-33207

Description

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.35% probability of exploitation · percentile 26.6% · 2026-06-19T12:03:05Z
Published2026-04-16
Last modified2026-04-20

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/dataease/dataease/releases/tag/v2.10.21
  2. https://github.com/dataease/dataease/security/advisories/GHSA-pgh3-rgw3-xjmm
  3. https://github.com/dataease/dataease/security/advisories/GHSA-pgh3-rgw3-xjmm

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33122
CVE
CVE-2026-33121
CVE
CVE-2026-40900
CVE
CVE-2025-62422
CVE
CVE-2026-33082
CVE
CVE-2026-32137
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.