DataEase: stacked-query SQL injection via previewSql with allowMultiQueries

DataEase's "preview SQL" endpoint takes user-supplied SQL meant to represent a dataset's source query and wraps it inside a subquery, roughly:

SELECT * FROM ( <USER_SQL> ) AS pruva_alias LIMIT 100

The server does NOT validate that the user input is a single SELECT statement. When the underlying MySQL JDBC connection has allowMultiQueries=true (set on the JDBC URL of the configured datasource), a crafted payload using MySQL's # comment terminator can escape the wrapping subquery and execute arbitrary stacked statements. Example payload:

SELECT 1 FROM dual) AS x; INSERT INTO core_msg_type (id, name, pid) VALUES (999999999, 'pwned-by-cve-2026-40900', 0)#

After the server's SELECT * FROM ( ... ) AS pruva_alias LIMIT 100 wrap is applied this becomes a perfectly valid multi-statement script: the first statement is a benign SELECT, the second statement is the attacker's side-effecting query, and the trailing # swallows the remainder of the wrapper (closing paren, alias, LIMIT). With allowMultiQueries=true MySQL runs both statements and the INSERT/UPDATE/DELETE commits to the application database.

In the full chain documented by Ox Security (auth bypass CVE-2026-23958 -> JDBC blocklist bypass CVE-2026-40899 -> this CVE -> Quartz scheduler RCE) the attacker uses CVE-2026-40899 to plant allowMultiQueries=true in the JDBC URL of a datasource. For a standalone reproduction of CVE-2026-40900 we can shortcut that step by registering the datasource with allowMultiQueries=true manually (as admin) - the bug under test is the missing single-statement enforcement in previewSql.