14 matches found
CVE-2026-39400
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...
CVE-2026-39401
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an updateevent key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privile...
CVE-2026-39400
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...
CVE-2026-39401
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an updateevent key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privile...
CVE-2026-39401 Privilege Escalation via update_event Job Output in Cronicle
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an updateevent key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privile...
CVE-2026-39401 Privilege Escalation via update_event Job Output in Cronicle
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an updateevent key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privile...
CVE-2026-39401
Cronicle prior to 0.9.111 is affected by CVE-2026-39401. The vulnerability arises when jb child processes can include an update_event key in their JSON output, which the server applies directly to the parent event’s stored configuration without authorization. A low-privilege user who can create a...
CVE-2026-39400
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...
EUVD-2026-19923
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...
CVE-2026-39400 Stored XSS via Job HTML/Table Output in Cronicle
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...
CVE-2026-39400 Stored XSS via Job HTML/Table Output in Cronicle
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...
CVE-2026-39400
Cronicle suffers a Stored XSS vulnerability in versions before 0.9.111. A non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without ...
PT-2026-31020
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A...
PT-2026-31019
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create events and run events privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The...