Critical severity9.1NVD Advisory· Published Oct 1, 2021· Updated Jun 17, 2026
CVE-2021-41110
CVE-2021-41110
Description
cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a2ce80200e9fa9e70a5c29de (dated 2021-09-30) contains a patch. There are no available workarounds aside from installing the patch. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue the object needs to be created with a SafeConstructor object, as seen in the patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <1.3.1
- common-workflow-language/cwlviewerv5Range: < 1.3.1
Patches
Vulnerability mechanics
References
3- github.com/common-workflow-language/cwlviewer/commit/f6066f09edb70033a2ce80200e9fa9e70a5c29denvdPatchThird Party Advisory
- github.com/common-workflow-language/cwlviewer/security/advisories/GHSA-7g7j-f5g3-fqp7nvdPatchThird Party Advisory
- www.fatalerrors.org/a/analysis-of-the-snakeyaml-deserialization-in-java-security.htmlnvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.