Home / Vulnerability Intelligence / CVE-2026-33207

CVE-2026-33207 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 20, 2026

DataEase - SQL Injection

Published: April 16, 2026Updated: April 20, 2026PoC AvailableRemote Exploitable

Overview

DataEase <= 2.10.20 contains a SQL injection caused by improper sanitization of the tableName parameter in /datasource/getTableField endpoint, letting authenticated attackers execute arbitrary SQL commands via crafted API datasource registration.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 3.0%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can execute arbitrary SQL commands, leading to sensitive database information disclosure.

Mitigation

Upgrade to version 2.10.21 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 20, 2026

🟠 CVE-2026-33207 - High (8.8) DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33207/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33207
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: confirmed
EPSS: 3.0%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.0%Probability of exploitation in the next 30 days