CVE-2026-40901 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 20, 2026
DataEase - Remote Code Execution
Overview
DataEase <= 2.10.20 contains a remote code execution caused by unsafe deserialization of Quartz job data using CommonsCollections6 gadget chain, letting authenticated attackers with write access to Quartz job table execute arbitrary commands as root, exploit requires authenticated write access to Quartz job table.
Severity & Score
Impact
Authenticated attackers can execute arbitrary commands as root inside the container, leading to full remote code execution.
Mitigation
Upgrade to version 2.10.21 or later.
References
Social Media Activity(2 posts)
š CVE-2026-40901 - High (8.8) DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz ... š https://www.thehackerwire.com/vulnerability/CVE-2026-40901/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-40901 - High (8.8) DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz ... š https://www.thehackerwire.com/vulnerability/CVE-2026-40901/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40901
- Severity
- High
- CVSS Score
- 8.8
- Type
- insecure_deserialization
- Status
- confirmed
- EPSS
- 40.1%
- Social Posts
- 2
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H