Deserialization in Dataease

CVE-2026-40901

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain…

Vulnerability class: Insecure Deserialization

EPSS: 0.001 (34.1th percentile) — read the EPSS interpretation.

Affected products

Dataease — versions < 2.10.21

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466 (x_refsource_CONFIRM)
https://github.com/dataease/dataease/releases/tag/v2.10.21 (x_refsource_MISC)