Skip to main content

Cronicle CVE-2026-39400

| EUVDEUVD-2026-19923 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.9.111
EUVD ID Assigned
Apr 07, 2026 - 20:31 euvd
EUVD-2026-19923
Analysis Generated
Apr 07, 2026 - 20:31 vuln.today
CVE Published
Apr 07, 2026 - 20:22 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page. This vulnerability is fixed in 0.9.111.

AnalysisAI

Stored cross-site scripting (XSS) in Cronicle prior to 0.9.111 allows authenticated users with create_events and run_events privileges to inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The injected payload is stored server-side without sanitization and executed client-side via innerHTML when other users view the Job Details page, enabling session hijacking, credential theft, or malicious actions performed in the context of the viewing user's session. No public exploit code or active exploitation has been reported at the time of analysis.

Technical ContextAI

Cronicle is a multi-server task scheduler built with a web-based UI that stores job metadata and execution results in server-side data structures. The vulnerability stems from a failure to sanitize user-supplied input in job output fields before storing them in the database. When the Job Details page renders these fields via innerHTML (a DOM operation that interprets HTML and executes embedded scripts), untrusted JavaScript is executed in the browser context of any user viewing that job. This is a classic stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The affected CPE is cpe:2.3:a:jhuckaby:cronicle:*:*:*:*:*:*:*:*, indicating all versions before 0.9.111 are impacted. The fix likely involves HTML entity encoding, Content Security Policy enforcement, or use of a DOM-safe rendering method (e.g., textContent instead of innerHTML) for untrusted user input.

RemediationAI

Vendor-released patch: Cronicle 0.9.111. Upgrade to this version or later immediately. For organizations unable to upgrade quickly, restrict create_events and run_events privileges only to highly trusted administrators pending the upgrade, and disable or isolate the Job Details page in the UI for non-admin users. Additionally, consider implementing a Web Application Firewall (WAF) rule to block script-like payloads in job output fields, though this is a temporary measure and not a substitute for patching. See the official GitHub advisory at https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-36q6-pwxv-j545 and vulnerability details at https://vuldb.com/vuln/355936 for confirmation of the fix and deployment guidance.

Share

CVE-2026-39400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy