SQL injection in DataEase - CVE-2026-55635
Published: June 18, 2026
Vulnerability identifier: #VU134827
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-55635
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: DataEase
Affected software:
DataEase
DataEase
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and possibly modify data.
The vulnerability exists due to SQL injection in Quota2SQLObj.getYWheres() when processing quota or Y-axis filter values in chart definitions or chart data requests. A remote user can submit a specially crafted filter value to disclose sensitive information and possibly modify data.
Exploitation requires the ability to create or modify chart definitions, or to submit chart data requests containing quota filters.
How to mitigate CVE-2026-55635
Install security update from vendor's website.