Cyber Resilience

CVE-2026-33084

HighPublic PoC

Published: 16 April 2026

Published
16 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33084 is a high-severity SQL Injection (CWE-89) vulnerability in Dataease Dataease. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33084 is a SQL injection vulnerability (CWE-89) in DataEase, an open-source data visualization and analytics platform. Versions 2.10.20 and below are affected through the sort parameter in the /de2api/datasetData/enumValueObj endpoint. The DatasetDataManage service layer directly passes user-supplied sort values to the sorting metadata DTO, which feeds into Order2SQLObj. This incorporates the value into the SQL ORDER BY clause without whitelist validation before execution via CalciteProvider, enabling arbitrary SQL command injection.

An authenticated attacker (PR:L) with network access (AV:N) can exploit this with low attack complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability supports time-based blind SQL injection by injecting arbitrary SQL commands via the sort parameter, as reflected in its CVSS v3.1 base score of 8.8 (S:U).

The vulnerability has been fixed in DataEase version 2.10.21. Mitigation details are available in the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-r897-r9q8-3p2x and the release notes for v2.10.21 at https://github.com/dataease/dataease/releases/tag/v2.10.21.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the sort parameter of the /de2api/datasetData/enumValueObj endpoint. The DatasetDataManage service layer directly transfers the user-supplied sort value to the sorting metadata…

more

DTO, which is passed to Order2SQLObj where it is incorporated into the SQL ORDER BY clause without any whitelist validation, and then executed via CalciteProvider. An authenticated attacker can inject arbitrary SQL commands through the sort parameter, enabling time-based blind SQL injection. This issue has been fixed in version 2.10.21.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in internet-accessible web endpoint (AV:N) directly matches exploitation of public-facing applications; arbitrary SQL execution via unsanitized sort parameter enables the initial access vector with no other techniques directly implied by the description.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33083Same product: Dataease Dataease
CVE-2026-33122Same product: Dataease Dataease
CVE-2026-33082Same product: Dataease Dataease
CVE-2026-33121Same product: Dataease Dataease
CVE-2026-33207Same product: Dataease Dataease
CVE-2026-40900Same product: Dataease Dataease
CVE-2026-32137Same product: Dataease Dataease
CVE-2025-58046Same product: Dataease Dataease
CVE-2025-64428Same product: Dataease Dataease
CVE-2024-57707Same product: Dataease Dataease

Affected Assets

dataease
dataease
≤ 2.10.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validating user-supplied inputs like the sort parameter to prevent SQL injection by ensuring only valid values are passed to SQL construction.

prevent

SI-9 enforces input restrictions such as whitelisting permissible sort values at application boundaries to block arbitrary SQL commands in the ORDER BY clause.

prevent

SI-2 requires timely identification, reporting, and correction of flaws like this SQL injection vulnerability, including applying the fix in DataEase v2.10.21.

References