What is the CVSS score of CVE-2026-27574?

CVE-2026-27574 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Node.js are affected by CVE-2026-27574?

A critical vulnerability (CVSS 9.9) in OneUptime monitoring infrastructure could allow attackers to gain complete control of affected systems and the services they monitor.. A patch is available.

Is there a public PoC exploit available for CVE-2026-27574?

Yes, a public proof-of-concept exploit is available for CVE-2026-27574. Prioritise patching immediately. EPSS: 0.1%.

Node.js CVE-2026-27574

CRITICAL

Code Injection (CWE-94)

2026-02-21 security-advisories@github.com

GHSA-v264-xqh4-9xmm

Node.js Redis Oneuptime

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

PoC Detected

Feb 23, 2026 - 20:36 vuln.today

Public exploit code

Patch released

Feb 23, 2026 - 20:36 nvd

Patch available

CVE Published

Feb 21, 2026 - 11:15 nvd

CRITICAL 9.9

DescriptionNVD

OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape via a well-known one-liner that grants full access to the underlying process. Because the probe runs with host networking and holds all cluster credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD) in its environment variables, and monitor creation is available to the lowest role (ProjectMember) with open registration enabled by default, any anonymous user can achieve full cluster compromise in about 30 seconds. This issue has been fixed in version 10.0.5.

AnalysisAI

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

RemediationAI

Within 24 hours: Inventory all OneUptime instances and assess exposure; isolate critical instances if patching cannot be completed immediately. Within 7 days: Apply available vendor patch to all OneUptime deployments in production and non-production environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-27574 vulnerability details – vuln.today

Back

Node.js CVE-2026-27574

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code