CVE-2026-30958 OneUptime: Path Traversal — Arbitrary File Read (No Auth)

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file...

CVE-2026-30958 OneUptime: Path Traversal — Arbitrary File Read (No Auth)

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file...

EUVD-2026-10564

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file...

CVE-2026-30958 OneUptime: Path Traversal — Arbitrary File Read (No Auth)

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file...

EUVD-2026-10563

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file...

CVE-2026-30957

CVE-2026-30957 / GHSA-JW8Q-GJVG-8W4Q describes a server-side remote code execution in OneUptime’s Synthetic Monitors. The root cause is that untrusted Synthetic Monitor code runs inside Node VM with live Playwright browser/page objects injected into the VM context. Although VMRunner proxies host ...

EUVD-2026-10562

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is...

CVE-2026-30957 OneUptime Synthetic Monitor RCE via exposed Playwright browser object

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is...

CVE-2026-30957 OneUptime Synthetic Monitor RCE via exposed Playwright browser object

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is...

CVE-2026-30956

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the...

Exposed Dangerous Method or Function

Overview @oneuptime/common is a The OneUptime Common UI Library is a collection of shared components, utilities that are used across the OneUptime platform. It is designed to be easy to install and use, and to be extensible. This library is built with React and TypeScript. It includes c Affected...

PT-2026-24254

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.21 Description OneUptime is a solution for monitoring and managing online services. A path traversal issue exists in the /workflow/docs/:componentName API endpoint, allowing unauthenticated reading of arbitrary...

OneUptime 路径遍历漏洞

OneUptime is a comprehensive solution developed by OneUptime OpenSource. It is used to monitor and manage your online services. Versions of OneUptime prior to 10.0.21 contained a path traversal vulnerability. This vulnerability stemmed from the /workflow/docs/ endpoint’s path traversal, which cou...

Exposed Dangerous Method or Function

Overview @oneuptime/common is a The OneUptime Common UI Library is a collection of shared components, utilities that are used across the OneUptime platform. It is designed to be easy to install and use, and to be extensible. This library is built with React and TypeScript. It includes c Affected...

CVE-2025-64516

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item ticket, asset, .... If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed i...

CVE-2025-64516

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item ticket, asset, .... If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed i...

UBUNTU-CVE-2025-64516

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item ticket, asset, .... If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed i...

EUVD-2025-206294

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item ticket, asset, .... If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed i...

CVE-2025-64516 GLPI incorrectly authorizes access to documents

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item ticket, asset, .... If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed i...

CVE-2025-64516 GLPI incorrectly authorizes access to documents

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item ticket, asset, .... If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed i...