JavaScript Injection Vulnerability in Cronicle Multi-Server Task Scheduler
CVE-2026-39400

5.3MEDIUM

Key Information:

Vendor: Jhuckaby
Status: Cronicle
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39400?

Cronicle, a multi-server task scheduler with a web-based front-end, contains a vulnerability that allows non-admin users, equipped with create_events and run_events privileges, to exploit job output fields (including html.content, html.title, table.header, table.rows, and table.caption) for arbitrary JavaScript injection. This occurs because the server improperly stores data without sanitization, which is later rendered unfiltered in the browser. This can lead to potential security risks, including cross-site scripting (XSS) attacks, on the Job Details page. The vulnerability has been addressed in version 0.9.111.

Affected Version(s)

Cronicle < 0.9.111

References

https://github.com/jhuckaby/Cronicle/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39400 Data

JSON

Jhuckaby

What is CVE-2026-39400?

Affected Version(s)

References

CVSS V4

Timeline