CVE-2026-39401

Name of the Vulnerable Software and Affected Versions Cronicle versions prior to 0.9.111

Description Cronicle is a multi-server task scheduler and runner with a web-based front-end UI. Before version 0.9.111, job (jb) child processes could include an update event key in their JSON output. The server applied this directly to the parent event’s stored configuration without authorization checks. A low-privilege user capable of creating and running events could modify any event property, including webhook URLs and notification emails.

Recommendations Update to version 0.9.111 or later.