CVE-2026-39400

Name of the Vulnerable Software and Affected Versions Cronicle versions prior to 0.9.111

Description Cronicle is a multi-server task scheduler and runner with a web-based front-end UI. A non-admin user with create events and run events privileges can inject arbitrary JavaScript through job output fields, including html.content, html.title, table.header, table.rows, and table.caption. The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page.

Recommendations Update to version 0.9.111 or later.