Home / Vulnerability Intelligence / CVE-2026-40899

CVE-2026-40899 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: April 20, 2026

DataEase - Insecure Deserialization

Published: April 16, 2026Updated: April 20, 2026PoC AvailableRemote Exploitable

Overview

DataEase <= 2.10.20 contains a file system read vulnerability caused by a JDBC parameter blocklist bypass via Jackson deserialization of the illegalParameters field, letting authenticated attackers read arbitrary files by exploiting LOAD DATA LOCAL INFILE, exploit requires authentication.

Severity & Score

Severity: Medium

CVSS Score: 6.5

Impact

Authenticated attackers can read arbitrary files on the server, exposing sensitive data like environment variables and database credentials.

Mitigation

Upgrade to version 2.10.21 or later.

References

Related Resources

Details

CVE ID: CVE-2026-40899
Severity: Medium
CVSS Score: 6.5
Type: insecure_deserialization
Status: confirmed

CWE

CWE-183

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N