CVE-2026-40900 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 20, 2026
DataEase - SQL Injection
Overview
DataEase <= 2.10.20 contains a SQL injection caused by lack of validation on user-supplied SQL in /de2api/datasetData/previewSql endpoint, letting authenticated attackers with valid datasource credentials execute arbitrary SQL statements.
Severity & Score
Impact
Authenticated attackers can execute arbitrary SQL queries, including read and write operations, leading to full database compromise.
Mitigation
Upgrade to version 2.10.21 or later.
References
Social Media Activity(2 posts)
š CVE-2026-40900 - High (8.8) DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validatio... š https://www.thehackerwire.com/vulnerability/CVE-2026-40900/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-40900 - High (8.8) DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validatio... š https://www.thehackerwire.com/vulnerability/CVE-2026-40900/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40900
- Severity
- High
- CVSS Score
- 8.8
- Type
- sql_injection
- Status
- confirmed
- EPSS
- 3.0%
- Social Posts
- 2
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H