CVE-2026-39400
Received Received - Intake
Stored Cross-Site Scripting in Cronicle Job Output Fields

Publication date: 2026-04-07

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page. This vulnerability is fixed in 0.9.111.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39400
EUVD
EUVD-2026-19923
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cronicle cronicle to 0.9.111 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Cronicle, a multi-server task scheduler with a web-based UI. Before version 0.9.111, a non-admin user who has the privileges to create and run events can inject arbitrary JavaScript code through certain job output fields such as html.content, html.title, table.header, table.rows, and table.caption.

The server stores this injected data without sanitizing it, and the client renders it using innerHTML on the Job Details page, which leads to the execution of the malicious JavaScript.

This vulnerability was fixed in version 0.9.111.

Impact Analysis

The vulnerability allows a non-admin user with specific privileges to execute arbitrary JavaScript in the context of the web application.

This can lead to cross-site scripting (XSS) attacks, which may result in unauthorized actions, data theft, session hijacking, or other malicious activities performed on behalf of the victim user.

Mitigation Strategies

To mitigate this vulnerability, upgrade Cronicle to version 0.9.111 or later, where the issue has been fixed.

Compliance Impact

The vulnerability allows a non-admin user with certain privileges to inject arbitrary JavaScript into job output fields, which is then stored without sanitization and rendered on the client side. This could potentially lead to unauthorized data access or manipulation.

Such unauthorized script injection and potential data exposure could impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure data integrity.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39400. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart