Cyber Resilience

CVE-2026-33122

HighPublic PoC

Published: 16 April 2026

Published
16 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 32.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33122 is a high-severity SQL Injection (CWE-89) vulnerability in Dataease Dataease. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33122 is a SQL injection vulnerability (CWE-89) affecting DataEase, an open-source data visualization and analytics platform, in versions 2.10.20 and prior. The flaw exists in the API datasource update process at the /de2api/datasource/update endpoint, where the user-supplied deTableName field from the configuration is passed unsanitized to DatasourceSyncManage.createEngineTable. This field is directly substituted into a CREATE TABLE statement template without sanitization or identifier escaping, allowing injection of arbitrary SQL commands. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker can exploit this issue by crafting a malicious deTableName value that breaks out of identifier quoting during a datasource update that adds a new table definition. This enables error-based SQL injection, allowing the attacker to extract sensitive database information. Despite the CVSS score indicating no privileges required (PR:N), the vulnerability description specifies exploitation by an authenticated user.

The issue has been addressed in DataEase version 2.10.21. Security practitioners should upgrade to this patched version immediately. Additional details are available in the official GitHub security advisory (GHSA-28vg-3hv7-w92f) and the release notes for v2.10.21.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field…

more

from the user-submitted configuration is passed to DatasourceSyncManage.createEngineTable, where it is substituted into a CREATE TABLE statement template without any sanitization or identifier escaping. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information. This issue has been fixed in version 2.10.21.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in internet-facing DataEase web API (/de2api/datasource/update) directly enables initial access via exploitation of a public-facing application (T1190); error-based extraction of DB contents is a direct consequence of successful exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33083Same product: Dataease Dataease
CVE-2026-33082Same product: Dataease Dataease
CVE-2026-33084Same product: Dataease Dataease
CVE-2026-33121Same product: Dataease Dataease
CVE-2026-33207Same product: Dataease Dataease
CVE-2026-40900Same product: Dataease Dataease
CVE-2026-32137Same product: Dataease Dataease
CVE-2025-58046Same product: Dataease Dataease
CVE-2025-64428Same product: Dataease Dataease
CVE-2024-57707Same product: Dataease Dataease

Affected Assets

dataease
dataease
≤ 2.10.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation and sanitization of user-supplied inputs like deTableName before substitution into SQL statements.

prevent

Mandates timely remediation of the specific SQL injection flaw through patching to DataEase version 2.10.21 or later.

prevent

Mitigates error-based SQL injection exploitation by restricting detailed error messages that reveal database information.

References