CVE-2026-30921
CRITICAL
GHSA-4j36-39gm-8vq8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.
Analysis
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit OneUptime user access and synthetic monitor configurations; isolate OneUptime-probe services from sensitive networks; disable synthetic monitor functionality if business-critical. Within 7 days: Implement network segmentation to restrict probe service lateral movement; enforce principle of least privilege for OneUptime user accounts; establish logging/monitoring of custom Playwright code submissions. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today