{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40901", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.767Z", "datePublished": "2026-04-16T20:57:45.978Z", "dateUpdated": "2026-04-17T18:47:00.448Z"}, "containers": {"cna": {"title": "DataEase: Quartz Deserialization \u2192 Remote Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466"}, {"name": "https://github.com/dataease/dataease/releases/tag/v2.10.21", "tags": ["x_refsource_MISC"], "url": "https://github.com/dataease/dataease/releases/tag/v2.10.21"}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"version": "< 2.10.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T20:57:45.978Z"}, "descriptions": [{"lang": "en", "value": "DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21."}], "source": {"advisory": "GHSA-gm5q-g72w-c466", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T18:46:50.301320Z", "id": "CVE-2026-40901", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T18:47:00.448Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "DataEase: Quartz Deserialization \u2192 Remote Code Execution", "source": {"advisory": "GHSA-gm5q-g72w-c466", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"status": "affected", "version": "< 2.10.21"}]}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dataease/dataease/releases/tag/v2.10.21", "name": "https://github.com/dataease/dataease/releases/tag/v2.10.21", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T20:57:45.978Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40901", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-17T18:46:50.301320Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-17T18:46:55.603Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-40901", "state": "PUBLISHED", "dateUpdated": "2026-04-16T20:57:45.978Z", "dateReserved": "2026-04-15T16:37:22.767Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-16T20:57:45.978Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21."}], "id": "CVE-2026-40901", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T21:16:24.270", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/dataease/dataease/releases/tag/v2.10.21"}, {"source": "security-advisories@github.com", "url": "https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.21)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dataease", "source": "cna", "vendor": "dataease"}, "product": "dataease", "vendor": "dataease"}], "analysis": {"en": {"generated_at": "2026-04-17T02:27:09.786518+00:00", "value": {"mitigation_remediation": ["Upgrade DataEase to version 2.10.21 or later, which removes the vulnerable quartz library and updates velocity.", "Restrict write permissions on the qrtz_job_details table so that only trusted service accounts can modify scheduled job data.", "Implement strict deserialization filtering or disable unnecessary cron jobs to prevent execution of malicious payloads."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all DataEase instances running version 2.10.20 or earlier of the application, which includes the bundled velocity\u20111.7.jar and quartz\u20112.3.2.", "description_and_impact": "DataEase, an open\u2011source analytics platform, shipped with a legacy commons\u2011collections library that contains a vulnerable deserialization gadget chain. The bundled Quartz scheduler deserializes job data from the database without a security filter or class allowlist. An attacker who authenticates to the application and can write to the job table\u2014e.g., via the previously disclosed SQL injection in previewSql\u2014can replace a job\u2019s data BLOB with a crafted payload that triggers the InvokerTransformer gadget chain. When the Quartz job runs, the payload is deserialized and executed as the process owner inside the container, yielding full remote code execution. The weakness maps to CWE\u2011502 (Deserialization of Untrusted Data).", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity. The EPSS score is not available, but because the flaw requires an attacker to gain write access to the Quartz job table, exploitation is limited to authenticated users with sufficient privileges. The vulnerability is not listed in the CISA KEV catalog. In practice, an attacker able to use the previewSql injection can overwrite job data and trigger the gadget chain via a cron trigger, achieving arbitrary code execution within the container."}}}}, "created": "2026-04-16T22:30:03.067342+00:00", "updated": "2026-04-17T02:30:07.316108+00:00", "vendors": ["dataease", "dataease$PRODUCT$dataease"]}