{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30957", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:34:39.981Z", "datePublished": "2026-03-10T16:58:28.216Z", "dateUpdated": "2026-03-10T18:22:16.657Z"}, "containers": {"cna": {"title": "OneUptime Synthetic Monitor RCE via exposed Playwright browser object", "problemTypes": [{"descriptions": [{"cweId": "CWE-749", "lang": "en", "description": "CWE-749: Exposed Dangerous Method or Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q"}, {"name": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.21", "tags": ["x_refsource_MISC"], "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.21"}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"version": "< 10.0.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T16:58:28.216Z"}, "descriptions": [{"lang": "en", "value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21."}], "source": {"advisory": "GHSA-jw8q-gjvg-8w4q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T18:21:28.474564Z", "id": "CVE-2026-30957", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:22:16.657Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30957", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T18:21:28.474564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:22:10.734Z"}}], "cna": {"title": "OneUptime Synthetic Monitor RCE via exposed Playwright browser object", "source": {"advisory": "GHSA-jw8q-gjvg-8w4q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"status": "affected", "version": "< 10.0.21"}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q", "name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.21", "name": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.21", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-749", "description": "CWE-749: Exposed Dangerous Method or Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T16:58:28.216Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30957", "state": "PUBLISHED", "dateUpdated": "2026-03-10T18:22:16.657Z", "dateReserved": "2026-03-07T17:34:39.981Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T16:58:28.216Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED54DE0A-2CD8-4372-BECA-6F3AF29F2C2B", "versionEndExcluding": "10.0.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21."}, {"lang": "es", "value": "OneUptime es una soluci\u00f3n para monitorear y gestionar servicios en l\u00ednea. Antes de la versi\u00f3n 10.0.21, los Monitores Sint\u00e9ticos de OneUptime permiten a un usuario de proyecto autenticado con bajos privilegios ejecutar comandos arbitrarios en el servidor/contenedor oneuptime-probe. La causa ra\u00edz es que el c\u00f3digo no confiable del Monitor Sint\u00e9tico se ejecuta dentro de la vm de Node mientras que objetos de navegador y p\u00e1gina de Playwright del reino del host en vivo est\u00e1n expuestos a \u00e9l. Un usuario malicioso puede llamar a las API de Playwright en el objeto de navegador inyectado y hacer que la sonda genere un ejecutable controlado por el atacante. Este es un problema de ejecuci\u00f3n remota de c\u00f3digo de lado del servidor. No requiere un escape de sandbox de vm separado. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 10.0.21."}], "id": "CVE-2026-30957", "lastModified": "2026-03-12T14:11:29.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T18:18:54.737", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.21"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-749"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.0.21)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "oneuptime", "source": "cna", "vendor": "OneUptime"}, "product": "oneuptime", "vendor": "oneuptime"}], "analysis": {"en": {"generated_at": "2026-04-17T11:41:52.911631+00:00", "value": {"mitigation_remediation": ["Upgrade OneUptime to version 10.0.21 or later to apply the vendor fix.", "If an upgrade is not immediately possible, restrict the creation or execution of Synthetic Monitors to trusted privileged accounts and consider disabling the feature until a patch is available.", "Review probe host access controls and monitor for unexpected process creations to detect potential exploitation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of OneUptime before version 10.0.21 are impacted, including the open\u2011source distribution identified by the CPE hackerbay:oneuptime. Users deploying OneUptime Synthetic Monitoring features should verify their running version and consider it vulnerable if it is earlier than 10.0.21.", "description_and_impact": "Affected OneUptime Synthetic Monitors allowed a user with low\u2011privileged authenticated project access to run arbitrary commands on the probe server. Untrusted monitor scripts were executed inside Node\u2019s vm while live Playwright browser and page objects were exposed, letting a malicious user call browser APIs to launch attacker\u2011controlled executables. This is a CWE\u2011749 flaw and allows server\u2011side remote code execution on the probe host without needing a separate VM sandbox escape.", "risk_and_exploitability": "The CVSS score of 10 signals maximum severity, but the exploit probability is low with an EPSS score below 1%. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no widespread exploitation incidents have been reported yet. Attackers would need to be an authenticated, low\u2011privileged project user, which means an insider or compromised account could exploit this flaw. Due to the reliance on exposed Playwright objects, it could be used to compromise the probe host and potentially the wider network if lateral movement is possible."}}}}, "created": "2026-03-11T11:49:03.254495+00:00", "updated": "2026-04-17T11:45:06.244688+00:00", "vendors": ["oneuptime", "oneuptime$PRODUCT$oneuptime"]}