Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page. This vulnerability is fixed in 0.9.111.
AnalysisAI
Stored cross-site scripting (XSS) in Cronicle prior to 0.9.111 allows authenticated users with create_events and run_events privileges to inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The injected payload is stored server-side without sanitization and executed client-side via innerHTML when other users view the Job Details page, enabling session hijacking, credential theft, or malicious actions performed in the context of the viewing user's session. No public exploit code or active exploitation has been reported at the time of analysis.
Technical ContextAI
Cronicle is a multi-server task scheduler built with a web-based UI that stores job metadata and execution results in server-side data structures. The vulnerability stems from a failure to sanitize user-supplied input in job output fields before storing them in the database. When the Job Details page renders these fields via innerHTML (a DOM operation that interprets HTML and executes embedded scripts), untrusted JavaScript is executed in the browser context of any user viewing that job. This is a classic stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The affected CPE is cpe:2.3:a:jhuckaby:cronicle:*:*:*:*:*:*:*:*, indicating all versions before 0.9.111 are impacted. The fix likely involves HTML entity encoding, Content Security Policy enforcement, or use of a DOM-safe rendering method (e.g., textContent instead of innerHTML) for untrusted user input.
RemediationAI
Vendor-released patch: Cronicle 0.9.111. Upgrade to this version or later immediately. For organizations unable to upgrade quickly, restrict create_events and run_events privileges only to highly trusted administrators pending the upgrade, and disable or isolate the Job Details page in the UI for non-admin users. Additionally, consider implementing a Web Application Firewall (WAF) rule to block script-like payloads in job output fields, though this is a temporary measure and not a substitute for patching. See the official GitHub advisory at https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-36q6-pwxv-j545 and vulnerability details at https://vuldb.com/vuln/355936 for confirmation of the fix and deployment guidance.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19923