Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
DataEase Data Visualization Platform: Remote Code Execution Risk
CVE-2026-40901
Summary
DataEase versions 2.10.20 and below are at risk of a security breach that could allow an attacker to gain full control of the system. If an attacker with permission to schedule jobs can exploit this vulnerability, they can run malicious code as the root user. Upgrade to version 2.10.21 or later to fix this issue.
Original title
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the Invoke...
Original description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.
nvd CVSS4.0
7.5
Vulnerability type
CWE-502
Deserialization of Untrusted Data
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026