Oneuptime
CVE-2026-30957
CRITICAL
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on @oneuptime/common (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 10.0.21.
DescriptionGitHub Advisory
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
AnalysisAI
OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.
Technical ContextAI
CWE-749 in OneUptime < 10.0.21.
RemediationAI
Update OneUptime. All four vulnerabilities must be patched.
OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring conf
OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.8), this vulnerability
OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by
OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.3), this vulnerability
OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validatio
Unauthenticated path traversal in OneUptime versions before 10.0.21 allows remote attackers to read arbitrary files from
OneUptime is a solution for monitoring and managing online services. Rated medium severity (CVSS 6.9), this vulnerabilit
SQL injection in OneUptime telemetry API before 10.0.23.
Same weakness CWE-749 – Exposed Dangerous Method or Function
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jw8q-gjvg-8w4q