216.73.217.22

CVE-2026-40901

· Published 16/04/2026 21:16 · Modified 17/04/2026 15:38

Labels: CVE-2026-40901 2026-04-16CVE-2026-40901CWE-502[email protected]

Essential information

Published
16/04/2026 21:16
Modified
17/04/2026 15:38
Author
Creator
CVSS
7.5 HIGH (v3) 7.5 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
dataease / dataease cpe:2.3:a:dataease:dataease:<2.10.21:*:*:*:*:*:*:*
dataease / dataease cpe:2.3:a:dataease:dataease:2.10.20:*:*:*:*:*:*:*

References