CVE-2026-45320

DataEase · DataEase

An SQL injection vulnerability exists in DataEase, allowing authenticated users to execute arbitrary SQL commands.

Executive summary

An authenticated SQL injection vulnerability in DataEase versions prior to 2.10.23 poses a high risk of unauthorized data access and manipulation.

Vulnerability

This vulnerability is classified as CWE-89, involving the improper neutralization of special elements used in an SQL command. It requires an attacker to possess low-level user privileges to interact with the vulnerable function and perform unauthorized database operations.

Business impact

With a CVSS score of 8.7, this flaw presents a substantial risk to data confidentiality and integrity. If exploited, an attacker could potentially bypass security controls to read, modify, or delete sensitive information stored within the DataEase database, leading to severe privacy and compliance consequences.

Remediation

Immediate Action: Upgrade to DataEase version 2.10.23 or later to apply the necessary input sanitization fixes.

Proactive Monitoring: Review database audit logs for unusual or unauthorized query patterns originating from existing user accounts.

Compensating Controls: Implement strict input validation at the Web Application Firewall (WAF) level to detect and block common SQL injection patterns targeting the application.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

Organizations should immediately verify their current version of DataEase and perform an upgrade to version 2.10.23. Access control reviews should also be conducted to ensure that user privileges are restricted to the minimum level necessary for their roles, reducing the risk of a compromised account being used to facilitate this attack.