CVE-2026-30957

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is...

CVE-2026-30921

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside...

OneUptime has Synthetic Monitor RCE via exposed Playwright browser object

Summary OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page...

GHSA-JW8Q-GJVG-8W4Q OneUptime has Synthetic Monitor RCE via exposed Playwright browser object

Summary OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page...

OneUptime 安全漏洞

OneUptime is a comprehensive solution developed by OneUptime OpenSource. It is used to monitor and manage your online services. Versions of OneUptime prior to 10.0.21 contain security vulnerabilities, which stem from improper execution of untrusted code in Synthetic Monitors, potentially allowing...

PT-2026-24190

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.21 Description OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic...

CVE-2026-30921 OneUptime Synthetic Monitor RCE via exposed Playwright browser object

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside...

CVE-2026-30921 OneUptime Synthetic Monitor RCE via exposed Playwright browser object

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside...

CVE-2026-30887

Summary: CVE-2026-30887 affects OneUptime prior to version 10.0.18, where untrusted Playwright/JavaScript code run in Synthetic Monitors is executed inside the insecure Node.js vm module, allowing a prototype-chain escape (this.constructor.constructor) to reach the host process and execute arbitr...

OneUptime: Synthetic Monitor RCE via exposed Playwright browser object

Summary OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page...

PT-2026-24093

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.20 Description OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. This code runs within Node's vm and is provided...

Kibana 8.12.1 Security Update (ESA-2024-21)

Kibana Improper Authorization ESA-2024-21 Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint. Affected Versions: Kibana versions before and including 8.12.0. Solutions and Mitigations: The issue is resolved in versions 8.12.1. Fo...

New Relic: Server Side Browsing - localhost open port enumeration

Hi again to all, I've found that is possible to scan all the open ports and network information of internal instances of your amazon DC that are related with synthetics monitors. NOTE: I do not have a pro account so I can use the more advanced synthetics functions or the Insights db query to get...