Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
OneUptime Synthetic Monitors allow unauthorized command execution
GHSA-jw8q-gjvg-8w4q
CVE-2026-30957
GHSA-jw8q-gjvg-8w4q
Summary
A malicious user with a low-privileged account can run arbitrary commands on the OneUptime server, potentially compromising the system. This could allow an attacker to take control of the server or disrupt services. Update to version 10.0.21 to fix this issue.
What to do
- Update oneuptime common to version 10.0.21.
- Update oneuptime @oneuptime/common to version 10.0.21.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| oneuptime | common | <= 10.0.21 | 10.0.21 |
| oneuptime | @oneuptime/common | <= 10.0.21 | 10.0.21 |
| hackerbay | oneuptime | <= 10.0.21 | – |
Original title
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands o...
Original description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
ghsa CVSS3.1
10.0
Vulnerability type
CWE-749
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026