CVE-2021-41110
9.1 CRITICALcwlviewer is a web application to view and share Common Workflow Language workflows
Published: 2021-10-01 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 9.1 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
- CWE
- CWE-502
Affected products
| Vendor | Product |
|---|---|
| commonwl | cwlviewer |
Description
cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a2ce80200e9fa9e70a5c29de (dated 2021-09-30) contains a patch. There are no available workarounds aside from installing the patch. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue the object needs to be created with a `SafeConstructor` object, as seen in the patch.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41110
- [Patch]https://github.com/common-workflow-language/cwlviewer/commit/f6066f09edb70033a2ce80200e9fa9e70a5c29de
- [Patch]https://github.com/common-workflow-language/cwlviewer/security/advisories/GHSA-7g7j-f5g3-fqp7
- [Exploit reference]https://www.fatalerrors.org/a/analysis-of-the-snakeyaml-deserialization-in-java-security.html
- [Patch]https://github.com/common-workflow-language/cwlviewer/commit/f6066f09edb70033a2ce80200e9fa9e70a5c29de
- [Patch]https://github.com/common-workflow-language/cwlviewer/security/advisories/GHSA-7g7j-f5g3-fqp7
- [Exploit reference]https://www.fatalerrors.org/a/analysis-of-the-snakeyaml-deserialization-in-java-security.html
Related CVEs
Same CWE
- CVE-2026-48775 — LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite) (6.8 MEDIUM)
- CVE-2026-10748 — An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating s...
- CVE-2026-24228 — NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data (7.8 HIGH)
- CVE-2026-48853 — Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unau...
- CVE-2026-9691 — Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions (9.8 CRITICAL)