CVE-2026-45535 in DataEaseinfo

Summary

by MITRE • 07/15/2026

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase SQL-type datasets store attacker-controlled SQL variable defaultValue entries such as ${var} and SqlparserUtils.handleVariableDefaultValue() inserts them with String.replace() without escaping or parameterization, causing stored SQL injection whenever a user with dataset read permission accesses the dataset. This issue is fixed in version 2.10.23.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability affects DataEase versions prior to 2.10.23 and represents a critical stored SQL injection flaw that arises from improper handling of user-controlled input within SQL query construction. The vulnerability stems from the SqlparserUtils.handleVariableDefaultValue() method which processes attacker-controlled SQL variable defaultValue entries containing patterns such as ${var}. When these variables are processed, the system employs String.replace() operations without proper escaping or parameterization mechanisms, creating an environment where malicious SQL code can be injected and executed. The flaw specifically impacts SQL-type datasets where users with read permissions on datasets can trigger the injection when accessing the dataset, making this a particularly dangerous vulnerability as it requires no special privileges beyond basic read access to exploit.

The technical implementation of this vulnerability aligns with CWE-89, which describes SQL injection flaws occurring when user-provided data is directly incorporated into SQL queries without proper sanitization or parameterization. The use of String.replace() instead of proper parameterized queries represents a fundamental security misconfiguration that allows attackers to manipulate database queries by injecting malicious SQL fragments through the defaultValue fields. This approach bypasses traditional input validation mechanisms since the injection occurs during query construction rather than at the point of data entry, making detection and prevention significantly more challenging.

The operational impact of this vulnerability is severe as it enables authenticated attackers with read access to datasets to execute arbitrary SQL commands against the underlying database system. Attackers could potentially extract sensitive information, modify database contents, or even escalate privileges within the database environment. The vulnerability affects all users who can read datasets, which in many enterprise environments includes a broad range of personnel from analysts to administrators, making the attack surface particularly large. This type of stored SQL injection typically allows for data exfiltration, privilege escalation, and potential system compromise depending on the database permissions granted to the DataEase application account.

Mitigation strategies should focus on implementing proper parameterized queries throughout the SqlparserUtils.handleVariableDefaultValue() method and other similar components that process user-controlled variables. The fix in version 2.10.23 addresses this by ensuring that variable defaultValue entries are properly escaped or parameterized before being incorporated into SQL statements. Organizations should also implement input validation to restrict the types of characters and patterns allowed in defaultValue fields, employ principle of least privilege for database accounts used by DataEase, and consider implementing web application firewalls to detect and prevent SQL injection attempts. Additionally, regular security assessments and code reviews focusing on SQL query construction practices should be conducted to identify similar vulnerabilities in other components of the application stack. The vulnerability demonstrates the importance of proper input sanitization and parameterized queries as outlined in the OWASP Top Ten and ATT&CK framework's T1190 technique for SQL injection attacks.

Responsible

GitHub M

Reservation

05/12/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!