{
  "variant_id": "CVE-2026-40900-postgresql-previewSql-stacked",
  "created_at": "2026-05-25T23:30:00Z",
  "variant_summary": "PostgreSQL time-based stacked SQL injection through DatasetDataManage.previewSql — same root cause as CVE-2026-40900 (no single-statement validation) but via a PostgreSQL datasource instead of MySQL.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/dataease/dataease",
  "submitted_target": {
    "target_kind": "docker_image_tag",
    "version": "v2.10.20",
    "display": "registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.20"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "ba0052aff05d85b5ae6e81f687b777b242222dd4",
    "version": "v2.10.20",
    "display": "DataEase v2.10.20 (docker) / commit ba0052aff05d85b5ae6e81f687b777b242222dd4"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "claimed_surface": "POST /de2api/datasetData/previewSql with PostgreSQL datasource",
  "validated_surface": "POST /de2api/datasetData/previewSql with PostgreSQL datasource (type=pg)",
  "required_entrypoint_kind": "http_api",
  "required_entrypoint_detail": "Authenticated POST to /de2api/datasetData/previewSql with a base64-encoded stacked SQL payload targeting a PostgreSQL datasource",
  "attacker_controlled_input": "Base64-encoded SQL string in PreviewSqlDTO.sql field",
  "trigger_path": "DatasetDataServer.previewSql → DatasetDataManage.previewSqlWithLog → DatasetDataManage.previewSql → SQLUtils.buildOriginPreviewSql → Provider.transSqlDialect → Provider.replaceTablePlaceHolder → CalciteProvider.jdbcFetchResultField → Statement.executeQuery",
  "observed_impact_class": "sql_injection",
  "exploitability_confidence": "high",
  "evidence_scope": "runtime_tested",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "file_path": "core/core-backend/src/main/java/io/dataease/dataset/manage/DatasetDataManage.java",
  "line_start": 436,
  "line_end": 520,
  "secondary_anchors": [
    {
      "file_path": "core/core-backend/src/main/java/io/dataease/datasource/provider/CalciteProvider.java",
      "line_start": 173,
      "line_end": 230
    },
    {
      "file_path": "core/core-backend/src/main/java/io/dataease/engine/utils/SQLUtils.java",
      "line_start": 13,
      "line_end": 20
    }
  ],
  "review_scope_paths": [
    "core/core-backend/src/main/java/io/dataease/dataset/manage/DatasetDataManage.java",
    "core/core-backend/src/main/java/io/dataease/datasource/provider/CalciteProvider.java",
    "core/core-backend/src/main/java/io/dataease/engine/utils/SQLUtils.java",
    "core/core-backend/src/main/java/io/dataease/datasource/type/Pg.java",
    "core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "vuln_variant/runtime_manifest.json",
    "repro_log": "logs/variant_run8.log",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": ["vuln_variant/reproduction_steps.sh"]
  }
}