Skip to main content

OneUptime CVE-2026-45102

| EUVD-2026-32632 CRITICAL
Protection Mechanism Failure (CWE-693)
2026-05-27 GitHub_M
Information Disclosure Node.js
9.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 27, 2026 - 21:04 EUVD
Analysis Generated
May 27, 2026 - 20:18 vuln.today

DescriptionNVD

OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98.

AnalysisAI

Sandbox escape in OneUptime before 10.0.98 lets an authenticated user break out of the Node.js vm-module isolation that the platform relies on to safely run untrusted logic, gaining code execution in the host context. The vm module was never intended as a security boundary and can be escaped using error objects and infinite recursion, yielding full confidentiality, integrity, and availability impact (CVSS 9.9, scope-changed). …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

24 hours: Identify all OneUptime deployments running versions before 10.0.98; disable untrusted code execution features if available. 7 days: Restrict OneUptime access to trusted administrators; implement network isolation around all instances to prevent lateral movement. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-45102 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy