DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase SQL preview exposes DatasetDataApi.previewSql/previewSqlCheck through /de2api/datasetData/previewSql, accepts PreviewSqlDTO.sql, PreviewSqlDTO.datasourceId, and PreviewSqlDTO.isCross, then DatasetDataManage.previewSql stores decoded SQL in datasourceRequest.query and CalciteProvider.fetchResultField executes it with prepareStatement(...).executeQuery(), allowing arbitrary readable datasource tables to be queried and returned in preview responses. This issue is fixed in version 2.10.23.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Dataease
Dataease dataease |
|
| Vendors & Products |
Dataease
Dataease dataease |
Wed, 15 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase SQL preview exposes DatasetDataApi.previewSql/previewSqlCheck through /de2api/datasetData/previewSql, accepts PreviewSqlDTO.sql, PreviewSqlDTO.datasourceId, and PreviewSqlDTO.isCross, then DatasetDataManage.previewSql stores decoded SQL in datasourceRequest.query and CalciteProvider.fetchResultField executes it with prepareStatement(...).executeQuery(), allowing arbitrary readable datasource tables to be queried and returned in preview responses. This issue is fixed in version 2.10.23. | |
| Title | DataEase: Arbitrary SQL execution in preview path (direct data disclosure) | |
| Weaknesses | CWE-89 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T19:24:51.531Z
Reserved: 2026-06-02T22:46:02.580Z
Link: CVE-2026-50030
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T22:00:06Z