{
  "original_cve": "CVE-2026-40900",
  "variant_id": "CVE-2026-40900-postgresql-previewSql-stacked",
  "same_root_cause": true,
  "confidence": "high",
  "root_cause_description": "DatasetDataManage.previewSql() wraps raw user-supplied SQL inside a subquery (SELECT * FROM ( <USER_SQL> ) tmp LIMIT 100) without parsing, validating, or enforcing that the input is a single SELECT statement. When the underlying JDBC driver supports multi-statement execution, an attacker can inject ); <SECOND_STATEMENT> <COMMENT> to break out of the wrapper and execute arbitrary side-effecting SQL.",
  "shared_code_paths": [
    "core/core-backend/src/main/java/io/dataease/dataset/manage/DatasetDataManage.java:previewSql()",
    "core/core-backend/src/main/java/io/dataease/dataset/manage/DatasetDataManage.java:previewSqlWithLog()",
    "core/core-backend/src/main/java/io/dataease/engine/utils/SQLUtils.java:buildOriginPreviewSql()",
    "core/core-backend/src/main/java/io/dataease/datasource/provider/CalciteProvider.java:jdbcFetchResultField()"
  ],
  "differences_from_original": {
    "entry_point_database_type": "PostgreSQL (type=pg) instead of MySQL (type=mysql)",
    "jdbc_driver_behavior": "PostgreSQL driver supports multi-statements in Statement.executeQuery() by default in simple query mode; no special parameter like allowMultiQueries is required",
    "exploit_observable": "Time-based (pg_sleep delay) instead of data-modification (INSERT)",
    "fixed_version_behavior": "Blocked on v2.10.21, likely due to driver/Calcite behavior differences, not due to explicit SQL validation in previewSql"
  }
}