{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33396", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.169Z", "datePublished": "2026-03-26T13:40:12.145Z", "dateUpdated": "2026-03-26T13:56:13.442Z"}, "containers": {"cna": {"title": "OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg"}, {"name": "https://github.com/OneUptime/oneuptime/commit/e8e4ee3ff0740eb131045ab3d67453141c46178a", "tags": ["x_refsource_MISC"], "url": "https://github.com/OneUptime/oneuptime/commit/e8e4ee3ff0740eb131045ab3d67453141c46178a"}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"version": "< 10.0.35", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T13:40:12.145Z"}, "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are not blocked, so attacker code can traverse `page.context().browser()._browserType.launchServer(...)` and spawn arbitrary processes. Version 10.0.35 contains a patch."}], "source": {"advisory": "GHSA-cqpg-phpp-9jjg", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:56:09.223589Z", "id": "CVE-2026-33396", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:56:13.442Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33396", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T13:56:09.223589Z"}}}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:56:02.789Z"}}], "cna": {"title": "OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe", "source": {"advisory": "GHSA-cqpg-phpp-9jjg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"status": "affected", "version": "< 10.0.35"}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg", "name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OneUptime/oneuptime/commit/e8e4ee3ff0740eb131045ab3d67453141c46178a", "name": "https://github.com/OneUptime/oneuptime/commit/e8e4ee3ff0740eb131045ab3d67453141c46178a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are not blocked, so attacker code can traverse `page.context().browser()._browserType.launchServer(...)` and spawn arbitrary processes. Version 10.0.35 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T13:40:12.145Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33396", "state": "PUBLISHED", "dateUpdated": "2026-03-26T13:56:13.442Z", "dateReserved": "2026-03-19T17:02:34.169Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T13:40:12.145Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE6EDDCA-31EC-4458-ACF2-9FA51FAE4FAE", "versionEndExcluding": "10.0.35", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are not blocked, so attacker code can traverse `page.context().browser()._browserType.launchServer(...)` and spawn arbitrary processes. Version 10.0.35 contains a patch."}], "id": "CVE-2026-33396", "lastModified": "2026-03-26T20:40:52.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T14:16:13.310", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OneUptime/oneuptime/commit/e8e4ee3ff0740eb131045ab3d67453141c46178a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.0.35)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "oneuptime", "source": "cna", "vendor": "OneUptime"}, "product": "oneuptime", "vendor": "oneuptime"}], "analysis": {"en": {"generated_at": "2026-03-26T22:27:54.753508+00:00", "value": {"mitigation_remediation": ["Upgrade OneUptime to version 10.0.35 or later.", "If an upgrade cannot be performed immediately, disable all Synthetic Monitor Playwright scripts to prevent exploitation.", "Reduce or remove the ability of ProjectMember role users to create or edit synthetic monitors until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "Vulnerable installations are running OneUptime versions prior to 10.0.35. Any deployment that has the synthetic monitor feature enabled can be affected. The affected product is OneUptime OneUptime.", "description_and_impact": "The vulnerability is a sandbox escape in the Synthetic Monitor Playwright runtime of OneUptime. A low\u2011privileged authenticated user with a ProjectMember role can run arbitrary JavaScript that accesses unblocked Playwright APIs to spawn processes on the Probe container or host. The flaw is due to an incomplete deny\u2011list, allowing code such as page.context().browser()._browserType.launchServer(...). This enables full control of the probe environment and results in remote command execution.", "risk_and_exploitability": "With a CVSS score of 10, the vulnerability is considered critical. The attacker must be authenticated as a ProjectMember, a role that can create or modify synthetic monitors. Once a malicious script is executed, the attacker can run arbitrary commands on the Probe or host. EPSS data is unavailable, so the likelihood of exploitation cannot be quantified. The vulnerability is not yet listed in the CISA KEV catalog."}}}}, "created": "2026-03-27T08:34:15.052158+00:00", "updated": "2026-03-27T09:26:42.588985+00:00", "vendors": ["oneuptime", "oneuptime$PRODUCT$oneuptime"]}