CVE-2026-45535

DataEase · DataEase

DataEase is vulnerable to SQL injection, allowing authenticated attackers to execute arbitrary SQL commands via improper neutralization of special elements in input.

Executive summary

An authenticated SQL injection vulnerability in DataEase poses a high risk of unauthorized data access and manipulation.

Vulnerability

The application is susceptible to SQL injection (CWE-89) because it fails to properly sanitize user-supplied input. An authenticated attacker can leverage this flaw to interact with the backend database with the privileges of the application service account.

Business impact

A successful exploit could lead to the unauthorized extraction of sensitive business data, modification of stored information, or potential disruption of data visualization services. Given the CVSS score of 8.7, this is classified as a high-severity vulnerability that warrants immediate attention to prevent data compromise.

Remediation

Immediate Action: Update the DataEase installation to version 2.10.23 or later as specified in the official vendor release.

Proactive Monitoring: Review database access logs for anomalous query patterns or unexpected SQL syntax errors that may indicate injection attempts.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection patterns targeting the application input fields.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

Organizations utilizing DataEase should treat this vulnerability with urgency. Given the potential for full database compromise via SQL injection, administrators must prioritize the deployment of the vendor-supplied patch to version 2.10.23 to eliminate the risk of unauthorized data access.