Plattform
javascript
Komponente
cronicle
Behoben in
0.9.112
CVE-2026-39400 affects Cronicle, a multi-server task scheduler with a web-based UI. This vulnerability allows a privileged, non-admin user to inject arbitrary JavaScript code into job output fields. Successful exploitation could lead to malicious script execution within the user's browser context, potentially compromising sensitive data or system functionality. The vulnerability impacts Cronicle versions 0.0.0 up to, but not including, version 0.9.111; a patch is available in version 0.9.111.
An attacker exploiting CVE-2026-39400 can inject malicious JavaScript code through the html.content, html.title, table.header, table.rows, and table.caption fields when creating or running jobs. Because Cronicle stores this data without sanitization and renders it using innerHTML on the Job Details page, the injected script will execute in the context of the user's browser. This could allow an attacker to steal session cookies, redirect users to phishing sites, deface the Cronicle UI, or potentially gain access to other systems if the user has elevated privileges. The blast radius is limited to the user's session and the Cronicle application itself, but the impact can be significant depending on the user's role and access rights.
CVE-2026-39400 was published on 2026-04-07. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. No public Proof-of-Concept (POC) code has been released. The vulnerability is not listed on CISA KEV or EPSS, suggesting a low probability of exploitation in the near term. Severity is pending evaluation.
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-39400 is to upgrade Cronicle to version 0.9.111 or later, which includes a fix for the XSS vulnerability. If immediate upgrade is not possible, consider implementing stricter input validation on the server-side to sanitize job output fields before storing them. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads targeting the Job Details page could provide an additional layer of defense. Monitor Cronicle logs for suspicious activity, particularly around job creation and modification events. After upgrading, confirm the fix by creating a new job with a malicious JavaScript payload in one of the affected fields and verifying that the payload is not executed when viewing the Job Details page.
Actualice Cronicle a la versión 0.9.111 o posterior para mitigar la vulnerabilidad de XSS. Esta versión corrige el problema de sanitización de datos en los campos de salida de los trabajos, evitando la inyección de código JavaScript malicioso.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a Cross-Site Scripting (XSS) vulnerability in Cronicle, allowing attackers to inject JavaScript code through job output fields.
You are affected if you are running Cronicle versions 0.0.0 through 0.9.110. Upgrade to 0.9.111 to resolve the issue.
Upgrade Cronicle to version 0.9.111 or later. Consider input validation and WAF rules as interim measures.
Currently, there's no evidence of active exploitation or publicly available POC code.
Refer to the Cronicle project's official website and security advisories for updates and further information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.