{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40900", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.766Z", "datePublished": "2026-04-16T20:53:27.788Z", "dateUpdated": "2026-04-17T12:38:32.676Z"}, "containers": {"cna": {"title": "DataEase has SQL Injection via Stacked Queries", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx"}, {"name": "https://github.com/dataease/dataease/releases/tag/v2.10.21", "tags": ["x_refsource_MISC"], "url": "https://github.com/dataease/dataease/releases/tag/v2.10.21"}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"version": "< 2.10.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T20:53:27.788Z"}, "descriptions": [{"lang": "en", "value": "DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21."}], "source": {"advisory": "GHSA-vqxf-84ph-j3vx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T12:38:27.439086Z", "id": "CVE-2026-40900", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T12:38:32.676Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40900", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-17T12:38:27.439086Z"}}}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T12:38:14.872Z"}}], "cna": {"title": "DataEase has SQL Injection via Stacked Queries", "source": {"advisory": "GHSA-vqxf-84ph-j3vx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"status": "affected", "version": "< 2.10.21"}]}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dataease/dataease/releases/tag/v2.10.21", "name": "https://github.com/dataease/dataease/releases/tag/v2.10.21", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T20:53:27.788Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40900", "state": "PUBLISHED", "dateUpdated": "2026-04-17T12:38:32.676Z", "dateReserved": "2026-04-15T16:37:22.766Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-16T20:53:27.788Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21."}], "id": "CVE-2026-40900", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T21:16:24.113", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/dataease/dataease/releases/tag/v2.10.21"}, {"source": "security-advisories@github.com", "url": "https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.21)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dataease", "source": "cna", "vendor": "dataease"}, "product": "dataease", "vendor": "dataease"}], "analysis": {"en": {"generated_at": "2026-04-17T02:27:29.416084+00:00", "value": {"mitigation_remediation": ["Upgrade DataEase to version 2.10.21 or later, which removes the vulnerable endpoint.", "If upgrading is not immediately possible, configure the JDBC connection to disable allowMultiQueries and block stacked statements.", "Restrict the permissions of datasource credentials to the minimum required for the application, removing update privileges where possible.", "Implement application\u2011level validation to ensure that only SELECT statements are accepted in the previewSql endpoint."], "summary": {"action": "Patch Immediately", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "DataEase instances running version 2.10.20 or earlier are vulnerable. The issue was addressed in release 2.10.21. All other versions are not affected.", "description_and_impact": "DataEase is an open\u2011source data visualization platform that uses a SQL endpoint allowing user\u2011supplied queries. A flaw in the /de2api/datasetData/previewSql route wraps the input in a subquery but does not enforce that the input is a single SELECT statement. Combined with a JDBC blocklist bypass that enables allowMultiQueries=true, an attacker can exit the subquery and execute arbitrary stacked SQL statements, including writes, against the connected database. Because the attacker must be authenticated with valid datasource credentials, successful exploitation grants full read and write access to the underlying database.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.7, indicating high severity. EPSS is not available, but the fact that it is not listed in the KEV catalog suggests no publicly known exploits at this time. The attacker must possess authenticated access to a valid datasource, which limits the risk to customers who expose such credentials. Nevertheless, those credentials can provide complete control over the underlying database, enabling data theft, modification, or destruction."}}}}, "created": "2026-04-16T23:00:03.962620+00:00", "updated": "2026-04-17T02:30:07.316600+00:00", "vendors": ["dataease", "dataease$PRODUCT$dataease"]}