SQL injection in DataEase - CVE-2026-45535
Published: June 18, 2026
Vulnerability identifier: #VU134815
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-45535
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: DataEase
Affected software:
DataEase
DataEase
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary SQL queries and disclose sensitive information.
The vulnerability exists due to SQL injection in the handleVariableDefaultValue() method of SqlparserUtils.java when processing default values for SQL variables in SQL-type datasets. A remote user can create or edit a crafted dataset with a malicious defaultValue to execute arbitrary SQL queries and disclose sensitive information.
The malicious payload is stored when the dataset is saved and is triggered when a user with dataset read permission accesses the dataset.
How to mitigate CVE-2026-45535
Install security update from vendor's website.