Home / Vulnerability Intelligence / CVE-2026-32137

CVE-2026-32137 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 13, 2026

Dataease - SQL Injection

Published: March 12, 2026Updated: March 13, 2026PoC AvailableRemote Exploitable

Overview

Dataease < 2.10.20 contains a SQL injection caused by direct concatenation of user-controllable table parameter in /de2api/datasource/previewData, letting attackers execute arbitrary SQL commands remotely, exploit requires crafted table name.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 4.7%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary SQL commands, potentially leading to data leakage, modification, or full database compromise.

Mitigation

Upgrade to version 2.10.20 or later.

References

https://github.com/dataease/dataease/security/advisories/GHSA-vgm2-269h-8624

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 13, 2026

🟠 CVE-2026-32137 - High (8.8) Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a u... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32137/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 13, 2026

View original post

Related Resources

Details

CVE ID: CVE-2026-32137
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: confirmed
EPSS: 4.7%
Social Posts: 2

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.7%Probability of exploitation in the next 30 days