CVE-2026-30958

High CVSS: 7.2

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.

Vendor

Hackerbay

Product

Oneuptime

CWE

CWE-22

Yayın Tarihi

2026-03-10 18:18:54

Güncelleme

2026-03-12 14:09:46

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Oneuptime HIGH Hackerbay 2026

Referanslar

https://github.com/OneUptime/oneuptime/releases/tag/10.0.21 https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p2wh-9pw8-hvff

Benzer Kayıtlar

Critical

CVE-2026-34758

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to N…

Critical

CVE-2026-33396

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authentica…

High

CVE-2026-33142

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-3230…

High

CVE-2026-33143

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook…

Medium

CVE-2026-32598

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the…

Critical

CVE-2026-32306

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API acc…