What is the CVSS score of CVE-2026-27728?

CVE-2026-27728 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Oneuptime are affected by CVE-2026-27728?

CVE-2026-27728 is a critical vulnerability (CVSS 9.9) affecting OneUptime monitoring infrastructure that could allow attackers to compromise service availability and monitoring capabilities.. A patch is available.

Is there a public PoC exploit available for CVE-2026-27728?

Yes, a public proof-of-concept exploit is available for CVE-2026-27728. Prioritise patching immediately. EPSS: 0.4%.

Oneuptime CVE-2026-27728

CRITICAL

OS Command Injection (CWE-78)

2026-02-25 security-advisories@github.com

GHSA-jmhp-5558-qxh5

Command Injection Oneuptime

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 02, 2026 - 18:56 vuln.today

Public exploit code

Patch released

Mar 02, 2026 - 18:56 nvd

Patch available

CVE Published

Feb 25, 2026 - 17:25 nvd

CRITICAL 9.9

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on @oneuptime/common (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 10.0.7.

DescriptionNVD

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in NetworkPathMonitor.performTraceroute() allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field. Version 10.0.7 fixes the vulnerability.

AnalysisAI

OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands on the monitoring server. …

RemediationAI

Within 24 hours: Inventory all OneUptime instances and assess exposure; isolate affected systems from production if patch cannot be immediately applied. Within 7 days: Apply available vendor patch to all OneUptime deployments and validate functionality post-patch. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-27728 vulnerability details – vuln.today

Back

Oneuptime CVE-2026-27728

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code