Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-40901— DataEase: Quartz Deserialization → Remote Code Execution

EPSS 0.35% · P58
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-40901

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
DataEase: Quartz Deserialization → Remote Code Execution
Source: NVD (National Vulnerability Database)
Vulnerability Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
DataEase 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
DataEase是DataEase开源的一个开源的数据可视化分析工具。用于帮助用户快速分析数据并洞察业务趋势,从而实现业务的改进与优化。 DataEase 2.10.20及之前版本存在安全漏洞,该漏洞源于捆绑的velocity-1.7.jar引入包含InvokerTransformer反序列化小工具链的commons-collections-3.2.1.jar,且Quartz 2.3.2在反序列化作业数据BLOB时未使用反序列化过滤器或类允许列表,经过身份验证的攻击者可通过写入Quartz作业表实现远程代
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
dataeasedataease < 2.10.21 -

II. Public POCs for CVE-2026-40901

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-40901

登录查看更多情报信息。

Same Patch Batch · dataease · 2026-04-16 · 9 CVEs total

CVE-2026-40900DataEase has SQL Injection via Stacked Queries
CVE-2026-40899DataEase has an Arbitrary File Read Vulnerability
CVE-2026-33083DataEase has SQL Injection in Order By Clause
CVE-2026-33122DataEase has SQL Injection via Datasource Management
CVE-2026-33082DataEase: SQL Injection in v2 Dataset Export
CVE-2026-33207DataEase SQL Injection Vulnerability
CVE-2026-33121DataEase has SQL Injection via Datasource Save Flow
CVE-2026-33084DataEase has SQL Injection through its getFieldEnumObj Endpoint

IV. Related Vulnerabilities

Same product: dataease
Same vendor: dataease
Same weakness: CWE-502

V. Comments for CVE-2026-40901

No comments yet

Leave a comment