Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.
Published: 2026-04-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

DataEase, an open‑source analytics platform, shipped with a legacy commons‑collections library that contains a vulnerable deserialization gadget chain. The bundled Quartz scheduler deserializes job data from the database without a security filter or class allowlist. An attacker who authenticates to the application and can write to the job table—e.g., via the previously disclosed SQL injection in previewSql—can replace a job’s data BLOB with a crafted payload that triggers the InvokerTransformer gadget chain. When the Quartz job runs, the payload is deserialized and executed as the process owner inside the container, yielding full remote code execution. The weakness maps to CWE‑502 (Deserialization of Untrusted Data).

Affected Systems

The vulnerability affects all DataEase instances running version 2.10.20 or earlier of the application, which includes the bundled velocity‑1.7.jar and quartz‑2.3.2.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is not available, but because the flaw requires an attacker to gain write access to the Quartz job table, exploitation is limited to authenticated users with sufficient privileges. The vulnerability is not listed in the CISA KEV catalog. In practice, an attacker able to use the previewSql injection can overwrite job data and trigger the gadget chain via a cron trigger, achieving arbitrary code execution within the container.

Generated by OpenCVE AI on April 17, 2026 at 02:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DataEase to version 2.10.21 or later, which removes the vulnerable quartz library and updates velocity.
  • Restrict write permissions on the qrtz_job_details table so that only trusted service accounts can modify scheduled job data.
  • Implement strict deserialization filtering or disable unnecessary cron jobs to prevent execution of malicious payloads.

Generated by OpenCVE AI on April 17, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease dataease
Vendors & Products Dataease
Dataease dataease

Thu, 16 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.
Title DataEase: Quartz Deserialization → Remote Code Execution
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P'}

Subscriptions

Dataease Dataease
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T18:47:00.448Z

Reserved: 2026-04-15T16:37:22.767Z

Link: CVE-2026-40901

cve-icon Vulnrichment

Updated: 2026-04-17T18:46:55.603Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-16T21:16:24.270

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T02:30:07Z

Weaknesses