Sidekiq‑cron through version 2.3.1 renders a cron configuration page using a template that likely incorporates values from a URL without proper escaping. Based on the description, it is inferred that an attacker can craft a malicious URL that is processed by the cron.erb template, enabling cross‑site scripting. The injected JavaScript would execute in the context of the web application when a user views the page, potentially stealing session cookies or defacing the interface, and thereby leading to account compromise or data theft.

The vulnerable product is Sidekiq‑cron, an open‑source scheduling add‑on for the Sidekiq background job processor. All releases up to and including 2.3.1 contain the flaw. Users deploying any of these releases may be exposed if the cron.erb template is reachable in their environment.

The failure is a classic Cross‑Site Scripting weakness (CWE‑79). Based on the description, it is inferred that exploitation requires delivery of a crafted URL and a user to view the rendered page, which implies the attack path is limited to contexts where the URL is accessible. The EPSS score of <1% indicates a very low probability of exploitation in the wild, and the vulnerability is not included in CISA’s KEV catalog. The CVSS score of 6.1 places it in the medium‑severity range. The primary risk is the exposure of user credentials and session data through browser‑based attacks, rather than remote code execution on the server side.