CVE-2026-8724
4.7 MEDIUMA security flaw has been discovered in Dataease 2.10.20
Published: 2026-05-17 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 4.7 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-74, CWE-89
Affected products
| Vendor | Product |
|---|---|
| dataease | dataease |
Description
A security flaw has been discovered in Dataease 2.10.20. Impacted is the function SqlparserUtils.transFilter of the file SqlparserUtils.java of the component Data Dashboard. The manipulation results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8724
- [Exploit reference]https://github.com/xpp3901/CVE_APPLY/tree/main/V-D001_DataEase_SqlVariable_Injection
- [Other]https://vuldb.com/submit/804256
- [Other]https://vuldb.com/vuln/364315
- [Other]https://vuldb.com/vuln/364315/cti
- [Other]https://vuldb.com/submit/804256
Related CVEs
Same CWE
- CVE-2026-52715 — Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions (9.3 CRITICAL)
- CVE-2026-52712 — Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions (7.6 HIGH)
- CVE-2026-49772 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events C... (9.3 CRITICAL)
- CVE-2026-39581 — Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions (8.5 HIGH)
- CVE-2026-39574 — Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions (9.3 CRITICAL)