{
  "reproduction_type": "quartz_deserialization_rce",
  "cve": "CVE-2026-40901",
  "description": "Reproduces Quartz JDBCJobStore deserialization RCE in DataEase. Vulnerable v2.10.20 ships commons-collections-3.2.1.jar enabling the CommonsCollections6 gadget chain. When a serialized payload is written to QRTZ_JOB_DETAILS.JOB_DATA, Quartz's StdJDBCDelegate.getObjectFromBlob() calls ObjectInputStream.readObject() during trigger acquisition. The CC6 gadget chain fires during deserialization, executing Runtime.exec(). Fixed v2.10.21 removes commons-collections-3.2.1.jar, causing ClassNotFoundException.",
  "vulnerable_version": "v2.10.20",
  "fixed_version": "v2.10.21",
  "vulnerable_image": "registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.20",
  "fixed_image": "registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.21",
  "payload_generator": "ysoserial CommonsCollections6",
  "payload_size_bytes": 1308,
  "payload_target": "Quartz QRTZ_JOB_DETAILS.JOB_DATA BLOB deserialization via ObjectInputStream.readObject()",
  "vulnerable_service_test": {
    "marker_file_created": true,
    "quartz_evidence_log": "repro/evidence/vulnerable-quartz-evidence.log",
    "service_container_log": "repro/evidence/vulnerable-service-container.log"
  },
  "fixed_classpath_test": {
    "marker_file_created": false,
    "log_file": "repro/evidence/fixed-container-test.log"
  }
}