Description
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page. This vulnerability is fixed in 0.9.111.
Published: 2026-04-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Upgrade
AI Analysis

Impact

Cronicle’s web UI allows a non‑admin user with create_events and run_events privileges to inject arbitrary JavaScript into job output fields such as html.content, html.title, table.header, table.rows, and table.caption. The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page. Based on the description, it is inferred that an attacker could execute code in the context of any authenticated user who views a job detail page, potentially enabling session hijacking, defacement, or malicious actions.

Affected Systems

Cronicle distributed by jhuckaby is affected. All releases prior to version 0.9.111 include the vulnerability. The issue was resolved in 0.9.111.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog, implying no publicly known exploits. The attack vector requires authentication and web application interaction; a user must possess create_events or run_events rights to inject unsafe content, and an authenticated victim must later view a job detail for the payload to execute. Because the data is stored and rendered by the server, the risk is confined to the internal network or users with web UI access.

Generated by OpenCVE AI on April 7, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cronicle to version 0.9.111 or later

Generated by OpenCVE AI on April 7, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Cronicle
Cronicle cronicle
CPEs cpe:2.3:a:cronicle:cronicle:*:*:*:*:*:*:*:*
Vendors & Products Cronicle
Cronicle cronicle
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Jhuckaby
Jhuckaby cronicle
Vendors & Products Jhuckaby
Jhuckaby cronicle

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page. This vulnerability is fixed in 0.9.111.
Title Stored XSS via Job HTML/Table Output in Cronicle
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Cronicle Cronicle
Jhuckaby Cronicle
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T14:24:26.306Z

Reserved: 2026-04-06T22:06:40.516Z

Link: CVE-2026-39400

cve-icon Vulnrichment

Updated: 2026-04-09T18:14:23.886Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T21:17:18.333

Modified: 2026-06-17T10:42:03.273

Link: CVE-2026-39400

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:49Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')