CVE-2026-33082
Published: 16 April 2026
Summary
CVE-2026-33082 is a critical-severity SQL Injection (CWE-89) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-controlled inputs like the expressionTree parameter before concatenation into SQL queries, preventing SQL injection exploits.
Ensures timely identification, reporting, and correction of software flaws such as this SQL injection vulnerability through patching to DataEase v2.10.21.
Vulnerability scanning and monitoring detects SQL injection flaws like this one in web application endpoints such as /de2api/datasetTree/exportDataset.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web API endpoint (/de2api/datasetTree/exportDataset) directly enables remote exploitation of the application for initial access and arbitrary database query execution.
NVD Description
DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and passed to WhereTree2Str.transFilterTrees for…
more
SQL translation, where user-controlled values in "like" filter terms are directly concatenated into SQL fragments without sanitization. An attacker can inject arbitrary SQL commands by escaping the string literal in the filter value, enabling blind SQL injection through techniques such as time-based extraction of database information. This issue has been fixed in version 2.10.21.
Deeper analysisAI
CVE-2026-33082 is a SQL injection vulnerability (CWE-89) in DataEase, an open source data visualization analysis tool, affecting versions 2.10.20 and below. The issue occurs in the dataset export functionality at the POST /de2api/datasetTree/exportDataset endpoint. The expressionTree parameter is deserialized into a filtering object and passed to WhereTree2Str.transFilterTrees for SQL translation, where user-controlled values in "like" filter terms are directly concatenated into SQL fragments without sanitization.
Unauthenticated remote attackers can exploit this vulnerability by escaping the string literal in the filter value to inject arbitrary SQL commands, enabling blind SQL injection through techniques such as time-based extraction of database information. The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its critical severity, with potential for high impacts on confidentiality, integrity, and availability.
The vulnerability has been fixed in DataEase version 2.10.21. Mitigation details are available in the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-xxpw-2c8q-g693 and the release notes at https://github.com/dataease/dataease/releases/tag/v2.10.21.
Details
- CWE(s)