{
  "ticket_id": "CVE-2026-40899",
  "source": "cve",
  "cve_id": "CVE-2026-40899",
  "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40899",
  "references": [
    "https://nvd.nist.gov/vuln/detail/CVE-2026-40899",
    "https://www.cve.org/CVERecord?id=CVE-2026-40899",
    "https://www.ox.security/blog/from-auth-bypass-to-rce-a-4-vulnerability-exploit-chain-in-dataease/",
    "https://github.com/dataease/dataease",
    "https://github.com/dataease/dataease/releases/tag/v2.10.21",
    "https://projectlombok.org/features/Data"
  ],
  "published_at": "2026-05-20",
  "severity": "medium",
  "cwe": ["CWE-915", "CWE-470"],
  "cvss": {
    "nvd_v3_1_base_score": 6.5,
    "nvd_v3_1_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
  },
  "labels": ["security", "jdbc", "lombok", "blocklist-bypass", "dataease", "mysql", "spring-boot"],
  "state": "published"
}