{
  "cve_id": "CVE-2026-40900",
  "validation_timestamp": "2026-05-25T23:26:44Z",
  "reproduced": true,
  "fix_verified": true,
  "vulnerable_version": {
    "version": "v2.10.20",
    "datasource_status": "Success",
    "exploit_success": true,
    "exploit_response_code": 0,
    "side_effect_confirmed": true,
    "notes": "Stacked SQL injection via previewSql endpoint succeeded. The payload 'SELECT 1 FROM dual) AS x; INSERT INTO repro_test ... #' was executed and a row was inserted into the application database."
  },
  "fixed_version": {
    "version": "v2.10.21",
    "datasource_status": "Error",
    "exploit_success": false,
    "exploit_response_code": 40001,
    "exploit_response_msg": "数据源无效",
    "side_effect_confirmed": false,
    "notes": "Datasource with allowMultiQueries=true is saved with status='Error' and previewSql refuses to execute against it, blocking the stacked SQL injection path."
  },
  "evidence_files": [
    "logs/v2.10.20_validate.json",
    "logs/v2.10.20_exploit.json",
    "logs/v2.10.21_create_datasource.json",
    "logs/v2.10.21_exploit.json"
  ],
  "verdict": "VULNERABILITY_CONFIRMED_AND_FIX_VERIFIED",
  "summary": "CVE-2026-40900 (stacked-query SQL injection in DataEase previewSql) was successfully reproduced on v2.10.20 and confirmed patched on v2.10.21. The fix adds 'allowMultiQueries' to the MySQL JDBC parameter blocklist, causing datasources with this parameter to be marked Error and preventing previewSql execution against them.",
  "cwe": ["CWE-89"],
  "cvss_v3_1_score": 8.8
}