Home / Vulnerability Intelligence / CVE-2026-33122

CVE-2026-33122 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 20, 2026

DataEase - SQL Injection

Published: April 16, 2026Updated: April 20, 2026PoC AvailableRemote Exploitable

Overview

DataEase <= 2.10.20 contains a SQL injection caused by unsanitized deTableName in the API datasource update process, letting authenticated attackers extract database information via error-based injection.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 3.0%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can extract sensitive database information via SQL injection, potentially compromising data confidentiality.

Mitigation

Update to version 2.10.21 or later.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Apr 20, 2026

🔴 CVE-2026-33122 - Critical (9.8) DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2ap... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33122/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Apr 20, 2026

View original post

Related Resources

Details

CVE ID: CVE-2026-33122
Severity: Critical
CVSS Score: 9.8
Type: sql_injection
Status: confirmed
EPSS: 3.0%
Social Posts: 2

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.0%Probability of exploitation in the next 30 days