cvedb.io
CVE-2021-41269
CRITICAL · CVSS 10
EPSS exploitation probability: 0%
Published 2021-11-15T21:15:07.393 · Last modified 2026-06-17T04:08:12.490

Summary

cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.

Affected products

cron-utils_project — cron-utils

Does this affect you?

Add your gear to cvedb and we'll alert you only when cron-utils_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.