CVE-2026-39400
Stored XSS via Job HTML/Table Output in Cronicle
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
16th
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page. This vulnerability is fixed in 0.9.111.
| CWE | CWE-79 |
| Vendor | jhuckaby |
| Product | cronicle |
| Published | Apr 7, 2026 |
| Last Updated | Apr 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for jhuckaby cronicle
Be the first to know when new unknown vulnerabilities affecting jhuckaby cronicle are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
jhuckaby / Cronicle
< 0.9.111