{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33121", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.925Z", "datePublished": "2026-04-16T18:16:02.485Z", "dateUpdated": "2026-04-16T18:34:54.187Z"}, "containers": {"cna": {"title": "DataEase has SQL Injection via Datasource Save Flow", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-fg4m-q7ch-jqv5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-fg4m-q7ch-jqv5"}, {"name": "https://github.com/dataease/dataease/releases/tag/v2.10.21", "tags": ["x_refsource_MISC"], "url": "https://github.com/dataease/dataease/releases/tag/v2.10.21"}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"version": "< 2.10.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T18:16:02.485Z"}, "descriptions": [{"lang": "en", "value": "DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple string replacement without any sanitization or escaping of the table name. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information such as the MySQL version. This issue has been fixed in version 2.10.21."}], "source": {"advisory": "GHSA-fg4m-q7ch-jqv5", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-fg4m-q7ch-jqv5", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T18:34:50.326086Z", "id": "CVE-2026-33121", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T18:34:54.187Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33121", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T18:34:50.326086Z"}}}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-fg4m-q7ch-jqv5", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T18:34:34.779Z"}}], "cna": {"title": "DataEase has SQL Injection via Datasource Save Flow", "source": {"advisory": "GHSA-fg4m-q7ch-jqv5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"status": "affected", "version": "< 2.10.21"}]}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-fg4m-q7ch-jqv5", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-fg4m-q7ch-jqv5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dataease/dataease/releases/tag/v2.10.21", "name": "https://github.com/dataease/dataease/releases/tag/v2.10.21", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple string replacement without any sanitization or escaping of the table name. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information such as the MySQL version. This issue has been fixed in version 2.10.21."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T18:16:02.485Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33121", "state": "PUBLISHED", "dateUpdated": "2026-04-16T18:34:54.187Z", "dateReserved": "2026-03-17T20:35:49.925Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-16T18:16:02.485Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "matchCriteriaId": "FDA9ABA1-77C0-4BB8-9E57-2D5150B015A3", "versionEndExcluding": "2.10.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple string replacement without any sanitization or escaping of the table name. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information such as the MySQL version. This issue has been fixed in version 2.10.21."}], "id": "CVE-2026-33121", "lastModified": "2026-04-20T16:37:02.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T19:16:33.657", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/dataease/dataease/releases/tag/v2.10.21"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-fg4m-q7ch-jqv5"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-fg4m-q7ch-jqv5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.21)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dataease", "source": "cna", "vendor": "dataease"}, "product": "dataease", "vendor": "dataease"}], "analysis": {"en": {"generated_at": "2026-04-17T02:29:40.531335+00:00", "value": {"mitigation_remediation": ["Upgrade DataEase to version 2.10.21 or later to apply the official vendor patch.", "If a patch cannot be applied immediately, restrict access to the datasource creation API by assigning stricter permissions or by routing traffic through a firewall to limit authenticated use.", "Implement network\u2011level controls such as a Web Application Firewall that validates the deTableName parameter and blocks malformed payloads that attempt to end the quoted identifier.", "Continuously monitor server logs for error messages or abnormal SQL activity that may indicate injection attempts."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection leading to information disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the DataEase open\u2011source data visualization platform. All instances running version 2.10.20 or earlier are affected. The issue was resolved in the 2.10.21 release; no other product versions are affected according to the vendor advisory.", "description_and_impact": "DataEase versions 2.10.20 and earlier contain a SQL injection flaw in the datasource save API. The deTableName field of the Base64\u2011encoded datasource configuration is directly embedded into a DDL statement via simple string replacement, with no sanitization. An attacker who is authenticated and has permission to save datasources can craft a deTableName that breaks out of the identifier quotation and injects arbitrary SQL, enabling error\u2011based extraction of database information such as the MySQL version. This is a classic input\u2011validation weakness, listed as CWE\u201189.", "risk_and_exploitability": "The CVSS base score is 8.7, indicating a High severity vulnerability. Exploitation requires authenticated access with permission to create or modify datasources, limiting the attack surface but still presenting a significant risk. No EPSS data is published, and the flaw is not listed in the CISA KEV catalog, but the high severity and potential for information disclosure warrant immediate attention."}}}}, "created": "2026-04-16T19:30:35.694114+00:00", "updated": "2026-04-17T02:30:07.319572+00:00", "vendors": ["dataease", "dataease$PRODUCT$dataease"]}