CVE-2021-41110 | CWL Viewer: deserialization of untrusted data can lead to complete takeover by an attacker
Exp
cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a2ce80200e9fa9e70a5c29de (dated 2021-09-30) contains a patch. There are no available workarounds aside from installing the patch. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue the object needs to be created with a `SafeConstructor` object, as seen in the patch.
Conclusion & alert: CVE-2021-41110 is rated High Exploit Risk (82.9/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 2.72%).Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +2.12% over the last day, indicating growing attacker interest.Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Public exploit references (Exploit-DB) for CVE-2021-41110
Exploit prediction scoring system (EPSS) score for CVE-2021-41110
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).