CVE-2026-30957
CRITICAL
GHSA-jw8q-gjvg-8w4q
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
Analysis
OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all OneUptime deployments and identify which versions are in use; disable Synthetic Monitors feature if operationally feasible and restrict access to the OneUptime platform to essential personnel only. Within 7 days: Implement network segmentation to isolate OneUptime probe servers from critical systems; apply restrictive RBAC to limit low-privileged user access to monitoring functions; deploy WAF rules to monitor and block suspicious command injection patterns. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today