Vulnerability Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dataease | Dataease | < 2.10.21 |
Related Weaknesses (CWE)
References
- https://github.com/dataease/dataease/releases/tag/v2.10.21Release Notes
- https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466ExploitThird Party Advisory
FAQ
What is CVE-2026-40901?
CVE-2026-40901 is a vulnerability with a CVSS score of 8.8 (HIGH). DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTr...
How severe is CVE-2026-40901?
CVE-2026-40901 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40901?
Check the references section above for vendor advisories and patch information. Affected products include: Dataease Dataease.