CVE-2026-32137

HIGH WAF: High

CVSS 8.8 Published: 2026-03-12

CWE-89

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names. This vulnerability is fixed in 2.10.20.

WAF Coverage Analysis

SQL Injection High WAF Coverage

OWASP: A03:2021 Injection

942xxx - SQL Injection

Affected Software

Vendor	Product	Version
dataease	dataease	up to 2.10.20

References

github.com (Exploit, Vendor Advisory)

Back to CVE Database