CVE-2026-40901
Received Received - Intake
Deserialization RCE via Quartz Job Injection in DataEase

Publication date: 2026-04-16

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-20
Generated
2026-05-07
AI Q&A
2026-04-17
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40901
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dataease dataease to 2.10.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in DataEase, an open-source data visualization and analytics platform, specifically in versions 2.10.20 and below. These versions include a legacy library, velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing a known deserialization gadget chain called InvokerTransformer.

The application also bundles Quartz 2.3.2, which deserializes job data stored in the qrtz_job_details table without any deserialization filters or class allowlists. An authenticated attacker who can write to this Quartz job tableβ€”potentially through a previously described SQL injection vulnerabilityβ€”can replace a scheduled job's data with a malicious payload.

When the Quartz cron trigger executes, it deserializes this malicious payload, which leads to arbitrary command execution as root inside the container, resulting in full remote code execution.

This vulnerability has been fixed in DataEase version 2.10.21.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows an authenticated attacker to execute arbitrary commands with root privileges inside the container running DataEase.

Such remote code execution can lead to full system compromise, data theft, data manipulation, service disruption, or further attacks within the network.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability can be mitigated by upgrading DataEase to version 2.10.21 or later, which fixes the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart