CVE-2026-33082 HIGH

CVE-2026-33082: DataEase: SQL Injection in v2 Dataset Export

Vendor Dataease
Product dataease
Weakness CWE-89 · SQLi
Published April 16, 2026
Last update April 16, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and passed to WhereTree2Str.transFilterTrees for SQL translation, where user-controlled values in "like" filter terms are directly concatenated into SQL fragments without sanitization. An attacker can inject arbitrary SQL commands by escaping the string literal in the filter value, enabling blind SQL injection through techniques such as time-based extraction of database information. This issue has been fixed in version 2.10.21.

Key dates

02Disclosure timeline

April 16, 2026 CVE published
April 16, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-2586 SQL injection vulnerability in AMSS++ CVE-2013-10023 Editorial Calendar Plugin edcal.php edcal_filter_where sql injection CVE-2019-25439 NoviSmart CMS SQL Injection via Referer HTTP Header CVE-2025-2200 SQL injection vulnerability in the Innovación y Cualificación IcProgreso plugin CVE-2025-10003 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP <= 1.2.44 - Authenticated (Subscriber+) SQL Injection