# CVE-2026-40901

> Vulnerability · severity: **HIGH** (CVSS 8.8).

## Description

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

## Key facts

- **CVE ID:** CVE-2026-40901
- **Published:** 2026-04-16
- **CVSS severity:** HIGH
- **CVSS base score:** 8.8
- **CWE codes:** CWE-502

## Affected products

- `dataease:dataease`

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40901

## Citation

> AI Analytics. CVE-2026-40901. Retrieved 2026-07-04 from https://api.ai-analytics.org/cve/CVE-2026-40901. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*