CVE-2026-39401
Privilege Escalation via update_event Job Output in Cronicle
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
12th
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111.
| CWE | CWE-862 |
| Vendor | jhuckaby |
| Product | cronicle |
| Published | Apr 7, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for jhuckaby cronicle
Be the first to know when new unknown vulnerabilities affecting jhuckaby cronicle are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
jhuckaby / Cronicle
< 0.9.111