CVE-2026-45320
DataEase · DataEase
An SQL injection vulnerability exists in DataEase, allowing authenticated users to execute arbitrary SQL commands.
Executive summary
An authenticated SQL injection vulnerability in DataEase versions prior to 2.10.23 poses a high risk of unauthorized data access and manipulation.
Vulnerability
This vulnerability is classified as CWE-89, involving the improper neutralization of special elements used in an SQL command. It requires an attacker to possess low-level user privileges to interact with the vulnerable function and perform unauthorized database operations.
Business impact
With a CVSS score of 8.7, this flaw presents a substantial risk to data confidentiality and integrity. If exploited, an attacker could potentially bypass security controls to read, modify, or delete sensitive information stored within the DataEase database, leading to severe privacy and compliance consequences.
Remediation
Immediate Action: Upgrade to DataEase version 2.10.23 or later to apply the necessary input sanitization fixes.
Proactive Monitoring: Review database audit logs for unusual or unauthorized query patterns originating from existing user accounts.
Compensating Controls: Implement strict input validation at the Web Application Firewall (WAF) level to detect and block common SQL injection patterns targeting the application.
Exploitation status
Public Exploit Available: No (unknown)
Analyst recommendation
Organizations should immediately verify their current version of DataEase and perform an upgrade to version 2.10.23. Access control reviews should also be conducted to ensure that user privileges are restricted to the minimum level necessary for their roles, reducing the risk of a compromised account being used to facilitate this attack.