Cyber Resilience

CVE-2026-32137

CriticalPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32137 is a critical-severity SQL Injection (CWE-89) vulnerability in Dataease Dataease. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32137 is a SQL injection vulnerability affecting Dataease, an open source data visualization analysis tool. In versions prior to 2.10.20, the table parameter in the /de2api/datasource/previewData endpoint is directly concatenated into SQL statements without filtering or parameterization. Since the tableName is a user-controllable string, attackers can inject malicious SQL by crafting specially constructed table names, as classified under CWE-89. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-12.

An attacker with low-privilege authenticated access (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows arbitrary SQL execution, potentially leading to high-impact compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) within the affected Dataease instance, such as data exfiltration, modification, or denial of service.

The vulnerability is fixed in Dataease version 2.10.20. Additional details are available in the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-vgm2-269h-8624.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL…

more

statements by constructing malicious table names. This vulnerability is fixed in 2.10.20.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in network-exposed web endpoint directly enables exploitation of public-facing application (T1190) and arbitrary queries against datasources/databases (T1213.006).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33121Same product: Dataease Dataease
CVE-2026-33207Same product: Dataease Dataease
CVE-2026-33083Same product: Dataease Dataease
CVE-2026-33122Same product: Dataease Dataease
CVE-2026-33082Same product: Dataease Dataease
CVE-2026-33084Same product: Dataease Dataease
CVE-2026-40900Same product: Dataease Dataease
CVE-2025-58046Same product: Dataease Dataease
CVE-2025-64428Same product: Dataease Dataease
CVE-2024-57707Same product: Dataease Dataease

Affected Assets

dataease
dataease
≤ 2.10.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-controllable tableName inputs prior to SQL concatenation, preventing SQL injection exploitation.

prevent

Ensures timely identification, reporting, and correction of the SQL injection flaw by applying the fix in Dataease version 2.10.20.

prevent

Restricts tableName inputs to only permitted values, blocking malicious SQL injection attempts via crafted table names.

References