CVE-2026-40901

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.21

Description An authenticated attacker with the ability to write to the Quartz job table, for example via SQL injection in 'previewSql', can achieve remote code execution. The application bundles Quartz 2.3.2, which deserializes job data BLOBs from the 'qrtz job details' table using ObjectInputStream without a deserialization filter or class allowlist. By replacing a scheduled job's JOB DATA with a malicious CommonsCollections6 gadget chain payload, the attacker can execute arbitrary commands as root inside the container when the Quartz cron trigger fires. This is possible because the legacy velocity-1.7.jar includes commons-collections-3.2.1.jar, which contains the InvokerTransformer deserialization gadget chain.

Recommendations Update to version 2.10.21.