CVE-2026-40901

UNKNOWN 0.0

DataEase: Quartz Deserialization → Remote Code Execution

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

CWE	CWE-502
Vendor	dataease
Product	dataease
Published	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for dataease dataease

Be the first to know when new unknown vulnerabilities affecting dataease dataease are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

dataease / dataease

< 2.10.21

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466 github.com: https://github.com/dataease/dataease/releases/tag/v2.10.21