CVE-2026-50030
HIGH
7.1
CVSS 4.0
Description
DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase SQL preview exposes DatasetDataApi.previewSql/previewSqlCheck through /de2api/datasetData/previewSql, accepts PreviewSqlDTO.sql, PreviewSqlDTO.datasourceId, and PreviewSqlDTO.isCross, then DatasetDataManage.previewSql stores decoded SQL in datasourceRequest.query and CalciteProvider.fetchResultField executes it with prepareStatement(...).executeQuery(), allowing arbitrary readable datasource tables to be queried and returned in preview responses. This issue is fixed in version 2.10.23.
Metadata
Severity & Metrics
7.1
HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| dataease | dataease | — | < 2.10.23 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-89 | cna | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.1 | HIGH | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
References (3)
- https://github.com/dataease/dataease/security/advisories/GHSA-j4v5-5gcx-cvfc https://github.com/dataease/dataease/security/advisories/GHSA-j4v5-5gcx-cvfc
- https://github.com/dataease/dataease/commit/22930a493d900fe3d8084b3dd4c0125abdb2a847 https://github.com/dataease/dataease/commit/22930a493d900fe3d8084b3dd4c0125abdb2a847
- https://github.com/dataease/dataease/releases/tag/v2.10.23 https://github.com/dataease/dataease/releases/tag/v2.10.23