CVE-2026-40901

HIGH

8.8

Descricao

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

Detalhes CVE

Pontuacao CVSS v3.18.8

SeveridadeHIGH

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosLOW

Interacao do usuarioNONE

Publicado4/16/2026

Ultima modificacao4/20/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

dataease:dataease

Fraquezas (CWE)

CWE-502

Referencias

https://github.com/dataease/dataease/releases/tag/v2.10.21(security-advisories@github.com)

https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.