CVE-2026-40901HIGH 8.8EPSS p45.4%

CVE-2026-40901CVE-2026-40901

Description

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.63% probability of exploitation · percentile 45.4% · 2026-06-19T12:03:05Z
Published2026-04-16
Last modified2026-04-20

Underlying weaknesses· 1

CWE-502

References

  1. https://github.com/dataease/dataease/releases/tag/v2.10.21
  2. https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-48998
CVE
CVE-2025-57773
CVE
CVE-2026-40900
CVE
CVE-2025-48999
CVE
CVE-2026-33207
CVE
CVE-2025-58046
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.