{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32137", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.546Z", "datePublished": "2026-03-12T17:53:00.318Z", "dateUpdated": "2026-03-13T16:23:17.480Z"}, "containers": {"cna": {"title": "DataEase SQL Injection Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-vgm2-269h-8624", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-vgm2-269h-8624"}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"version": "< 2.10.20", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T17:53:00.318Z"}, "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names. This vulnerability is fixed in 2.10.20."}], "source": {"advisory": "GHSA-vgm2-269h-8624", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:23:10.264408Z", "id": "CVE-2026-32137", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:23:17.480Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "DataEase SQL Injection Vulnerability", "source": {"advisory": "GHSA-vgm2-269h-8624", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"status": "affected", "version": "< 2.10.20"}]}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-vgm2-269h-8624", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-vgm2-269h-8624", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names. This vulnerability is fixed in 2.10.20."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T17:53:00.318Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32137", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-13T16:23:10.264408Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-13T16:23:14.311Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-32137", "state": "PUBLISHED", "dateUpdated": "2026-03-12T17:53:00.318Z", "dateReserved": "2026-03-10T22:19:36.546Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T17:53:00.318Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "matchCriteriaId": "788CE210-A4A2-469E-B250-E5B1A46FA2CD", "versionEndExcluding": "2.10.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names. This vulnerability is fixed in 2.10.20."}, {"lang": "es", "value": "Dataease es una herramienta de an\u00e1lisis de visualizaci\u00f3n de datos de c\u00f3digo abierto. Antes de la 2.10.20, el par\u00e1metro table para /de2api/datasource/previewData se concatena directamente en la sentencia SQL sin ning\u00fan tipo de filtrado o parametrizaci\u00f3n. Dado que tableName es una cadena controlable por el usuario, los atacantes pueden inyectar sentencias SQL maliciosas construyendo nombres de tabla maliciosos. Esta vulnerabilidad se corrigi\u00f3 en la 2.10.20."}], "id": "CVE-2026-32137", "lastModified": "2026-03-13T16:03:02.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T18:16:25.257", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-vgm2-269h-8624"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.20)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dataease", "source": "cna", "vendor": "dataease"}, "product": "dataease", "vendor": "dataease"}], "analysis": {"en": {"generated_at": "2026-03-18T15:33:27.518060+00:00", "value": {"mitigation_remediation": ["Update Dataease to version 2.10.20 or later to apply the vendor patch that parameterizes the SQL query.", "If an immediate update is not possible, restrict network access to the /de2api/datasource/previewData endpoint by firewall or application rules so that only authorized users can reach it.", "Disable or remove the previewData functionality if it is not required for operations.", "Monitor network traffic and application logs for suspicious requests to the previewData endpoint. ", "Ensure that the database user account used by Dataease has only the minimum privileges required to perform its functions, limiting damage in case of successful exploitation."], "summary": {"action": "Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Dataease releases prior to version 2.10.20. 2.10.20 and later contain the remediation that parameterizes the SQL query. The API endpoint /de2api/datasource/previewData is the entry point for the vulnerability.", "description_and_impact": "Dataease, an open\u2011source data visualization tool, contains a classic SQL injection flaw in its /de2api/datasource/previewData endpoint. The tableName query parameter is concatenated directly into an SQL statement with no filtering or parameterization, enabling an attacker to inject arbitrary SQL when providing a crafted table name. This can allow disclosure of sensitive data and, if the attacker writes destructive statements, modification or deletion of database contents. The flaw is classified as CWE\u201189.", "risk_and_exploitability": "With a CVSS score of 9.3 the issue is considered critical. The EPSS score is noted as less than 1%, indicating a low probability of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP request to the /de2api/datasource/previewData endpoint. If the endpoint is publicly reachable or an authenticated user can trigger it, the attacker can supply a malicious tableName value to execute arbitrary SQL. The impact scope is full database access, which could compromise confidentiality and integrity of all stored data."}}}}, "created": "2026-03-13T09:50:38.459604+00:00", "updated": "2026-03-20T15:48:40.867810+00:00", "vendors": ["dataease", "dataease$PRODUCT$dataease"]}