Medium severity6.1NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026

CVE-2026-39400

Description

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page. This vulnerability is fixed in 0.9.111.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Cronicle <0.9.111 allows non-admin users with event privileges to inject arbitrary JavaScript via job output fields.

Vulnerability

Cronicle prior to version 0.9.111 contains a stored cross-site scripting (XSS) vulnerability in its job output handling. The server accepts job output fields such as html.content, html.title, table.header, table.rows, and table.caption without any sanitization [1]. This unsanitized data is later rendered on the Job Details page using innerHTML on the client side, allowing arbitrary JavaScript execution [1].

Exploitation

An attacker who is a non-admin user with create_events and run_events privileges can craft a job that outputs malicious HTML containing JavaScript. For example, an attacker can set html.content to `` and submit the job results. When a victim (often an administrator) views the job details, the payload executes in the context of the victim's session [1].

Impact

Successful exploitation allows the attacker to perform any action that the victim can, including stealing session cookies, performing actions on behalf of the victim, or accessing sensitive information. The vulnerability is rated with a CVSS v3 score of 6.1 (Medium) [1].

Mitigation

The issue is fixed in Cronicle version 0.9.111. Users should upgrade to this version or later to eliminate the risk. No workaround is available other than restricting privileges for non-admin users [1].

References

Stored XSS via Job HTML/Table Output in Cronicle

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cronicle/Cronicle
cpe:2.3:a:cronicle:cronicle:*:*:*:*:*:*:*:*
Range: <0.9.111
jhuckaby/Croniclellm-create
Range: <0.9.111

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/jhuckaby/Cronicle/security/advisories/GHSA-36q6-pwxv-j545nvdExploitVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000