Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.
AnalysisAI
Cross-site scripting (XSS) vulnerability in OneUptime monitoring platform versions prior to 10.0.23, where the Markdown viewer component renders Mermaid diagrams with insecure settings that allow arbitrary JavaScript execution. An authenticated attacker with low privileges can inject malicious JavaScript through any markdown field (incident descriptions, status pages, monitor notes), potentially compromising other users' sessions. With an EPSS score of only 0.03% and no KEV listing, this appears to be a theoretical risk with no observed exploitation in the wild.
Technical ContextAI
The vulnerability stems from OneUptime's Markdown viewer component using Mermaid (a diagramming library) with securityLevel set to 'loose' and injecting SVG output via innerHTML. This configuration explicitly enables interactive event bindings through Mermaid's 'click' directive, violating CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability affects the OneUptime monitoring and management platform, which is used for tracking online service availability and incidents. The root cause is insufficient input sanitization combined with unsafe rendering practices for user-controlled markdown content.
RemediationAI
Update OneUptime to version 10.0.23 or later, which contains the fix for this vulnerability. The patch is available at https://github.com/OneUptime/oneuptime/releases/tag/10.0.23. As a temporary mitigation, organizations could restrict markdown editing permissions to trusted users only or disable Mermaid diagram rendering if not required. Review and sanitize any existing markdown content that may contain malicious Mermaid click directives.
OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands
OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring conf
OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.8), this vulnerability
OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by
OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.3), this vulnerability
OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validatio
Unauthenticated path traversal in OneUptime versions before 10.0.21 allows remote attackers to read arbitrary files from
OneUptime is a solution for monitoring and managing online services. Rated medium severity (CVSS 6.9), this vulnerabilit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11720
GHSA-wvh5-6vjm-23qh