{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30887", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.700Z", "datePublished": "2026-03-09T22:40:04.425Z", "dateUpdated": "2026-03-10T14:00:44.197Z"}, "containers": {"cna": {"title": "OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67"}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"version": "< 10.0.18", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:40:04.425Z"}, "descriptions": [{"lang": "en", "value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18."}], "source": {"advisory": "GHSA-h343-gg57-2q67", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T14:00:41.087768Z", "id": "CVE-2026-30887", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:00:44.197Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30887", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T14:00:41.087768Z"}}}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:00:32.517Z"}}], "cna": {"title": "OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE", "source": {"advisory": "GHSA-h343-gg57-2q67", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"status": "affected", "version": "< 10.0.18"}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67", "name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:40:04.425Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30887", "state": "PUBLISHED", "dateUpdated": "2026-03-10T14:00:44.197Z", "dateReserved": "2026-03-06T00:04:56.700Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T22:40:04.425Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "matchCriteriaId": "CBDE45D3-FDDB-49A9-8065-4A95B2BBDEEF", "versionEndExcluding": "10.0.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18."}], "id": "CVE-2026-30887", "lastModified": "2026-03-12T13:41:22.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T17:40:14.887", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.0.18)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "oneuptime", "source": "cna", "vendor": "OneUptime"}, "product": "oneuptime", "vendor": "oneuptime"}], "analysis": {"en": {"generated_at": "2026-04-17T11:47:59.710187+00:00", "value": {"mitigation_remediation": ["Update OneUptime to version 10.0.18 or later, which contains the fix for the unsandboxed code execution flaw.", "Restrict the ability to create or modify synthetic monitors to only highly trusted users and audit existing monitors for malicious code.", "If an update cannot be performed immediately, temporarily disable the synthetic monitor execution feature or enforce a strict content filter to prevent the execution of arbitrary JavaScript."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution and Full Cluster Compromise"}, "threat_synthesis": {"affected_systems": "The affected product is OneUptime, specifically all installations of the OneUptime application released prior to version 10.0.18. These versions run the probe module that hosts the vulnerable String.prototype constructor escape logic. No other vendors or products are known to be affected.", "description_and_impact": "OneUptime versions before 10.0.18 allow the execution of untrusted JavaScript code submitted by project members through Synthetic Monitors. The code is run inside the Node.js vm module without proper sandboxing, enabling a standard prototype\u2011chain escape to gain access to the Node.js process. This flaw is a classic instance of unsandboxed code execution (CWE\u201194). An attacker who can create or modify a synthetic monitor can therefore run arbitrary system commands on the oneuptime\u2011probe container and, because the probe stores database credentials in its environment, can achieve a complete compromise of the entire cluster.", "risk_and_exploitability": "The CVSS score of 10 reflects a high severity vulnerability with full local and remote privileges once the code is executed. The EPSS score of less than 1% indicates that the exploitation probability is very low at present, yet the possibility of the flaw remaining undiscovered and the impact of a successful exploit\u2014complete cluster compromise\u2014manifests a high overall risk. This vulnerability is not listed in the CISA KEV catalog. Attackers would most likely exploit it by creating or editing a synthetic monitor as a project member with code execution permissions; no additional external interaction is required once the user\u2019s code is submitted."}}}}, "created": "2026-03-10T14:06:29.971708+00:00", "updated": "2026-04-17T12:00:11.734901+00:00", "vendors": ["oneuptime", "oneuptime$PRODUCT$oneuptime"]}