CVE-2026-30957

Critical CVSS: 9.9

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.

Vendor

Hackerbay

Product

Oneuptime

CWE

CWE-749

Yayın Tarihi

2026-03-10 18:18:54

Güncelleme

2026-03-12 14:11:29

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-749 Oneuptime CRITICAL Hackerbay 2026

Referanslar

https://github.com/OneUptime/oneuptime/releases/tag/10.0.21 https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q

Benzer Kayıtlar

Critical

CVE-2026-34758

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to N…

Critical

CVE-2026-33396

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authentica…

High

CVE-2026-33142

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-3230…

High

CVE-2026-33143

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook…

Medium

CVE-2026-32598

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the…

Critical

CVE-2026-32306

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API acc…