Skip to main content

Node.js CVE-2026-33130

| EUVDEUVD-2026-13670 MEDIUM
PHP Remote File Inclusion (CWE-98)
2026-03-20 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.2.1
EUVD ID Assigned
Mar 20, 2026 - 10:00 euvd
EUVD-2026-13670
Analysis Generated
Mar 20, 2026 - 10:00 vuln.today
CVE Published
Mar 20, 2026 - 09:50 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('"/etc/passwd"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1.

AnalysisAI

Uptime Kuma versions 1.23.0 through 2.2.0 contain an incomplete Server-Side Template Injection (SSTI) vulnerability in the LiquidJS templating engine that allows authenticated attackers to read arbitrary files from the server. A prior fix (GHSA-vffh-c9pq-4crh) attempted to restrict file path access through three mitigation options (root, relativeReference, dynamicPartials), but this fix only blocks quoted paths; attackers can bypass the mitigation by using unquoted absolute paths like /etc/passwd that successfully resolve through the require.resolve() fallback mechanism in liquid.node.js. The vulnerability requires low privileges (authenticated access) but can result in high confidentiality impact, making it a notable information disclosure risk for self-hosted monitoring deployments.

Technical ContextAI

The vulnerability exists in Uptime Kuma's use of the LiquidJS templating engine (a Node.js implementation of Shopify's Liquid template language) within the notification provider system. The root cause, classified as CWE-98 (Improper Control of Filename for Include/Require Statement in Program), stems from an incomplete implementation of file path constraints in notification-provider.js. The initial mitigation added three LiquidJS configuration options (root, relativeReference, dynamicPartials) intended to restrict template file resolution, but these options only prevent path traversal when paths are quoted. The third-stage file resolution mechanism in liquid.node.js uses Node.js's require.resolve() function without any containment checks, allowing unquoted absolute paths to bypass the first two stages of constraint. Quoted paths appear secured only incidentally because literal quote characters in the path argument cause require.resolve('"/etc/passwd"') to fail with MODULE_NOT_FOUND, not due to intentional security design. The affected product is Uptime Kuma (cpe:2.3:a:louislam:uptime-kuma:*:*:*:*:*:*:*:*), an open-source Node.js-based self-hosted monitoring tool.

RemediationAI

Upgrade Uptime Kuma to version 2.2.1 or later immediately, as this version includes the complete fix for the LiquidJS file path containment issue (see https://github.com/louislam/uptime-kuma/releases/tag/2.2.1). For organizations unable to patch immediately, restrict network access to the Uptime Kuma instance to trusted administrative networks only, limit notification template usage to non-sensitive data, and audit all configured notification providers to ensure they do not include user-controlled template content. Additionally, review access control for Uptime Kuma user accounts and revoke credentials for any accounts that are not actively needed, since the vulnerability requires authenticated access. Monitor file access logs on the server for any suspicious access patterns targeting sensitive system files like /etc/passwd or configuration directories.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-33130 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy