4536 matches found
CVE-2026-30957 OneUptime Synthetic Monitor RCE via exposed Playwright browser object
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is...
CVE-2026-30957
CVE-2026-30957 / GHSA-JW8Q-GJVG-8W4Q describes a server-side remote code execution in OneUptime’s Synthetic Monitors. The root cause is that untrusted Synthetic Monitor code runs inside Node VM with live Playwright browser/page objects injected into the VM context. Although VMRunner proxies host ...
CVE-2026-30957 OneUptime Synthetic Monitor RCE via exposed Playwright browser object
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is...
EUVD-2026-10562
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is...
CVE-2026-30957
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is...
EUVD-2026-10434
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside...
CVE-2026-30921
OneUptime has a server-side RCE in Synthetic Monitors prior to version 10.0.20: untrusted user-provided Playwright code runs inside the oneuptime-probe VM with live Playwright objects (browser/page) injected, allowing an attacker to call browser.browserType().launch() and spawn arbitrary executab...
EUVD-2026-10435
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside...
CVE-2026-30921 OneUptime Synthetic Monitor RCE via exposed Playwright browser object
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside...
CVE-2026-30921
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside...
CVE-2026-30887
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By...
CVE-2026-30887 OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By...
CVE-2026-30887 OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By...
CVE-2026-30887 OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By...
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
Summary OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page...
GHSA-H343-GG57-2Q67 OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
Summary OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape this.constructor.constructor, an...
Arbitrary Code Injection
Overview @oneuptime/common is a The OneUptime Common UI Library is a collection of shared components, utilities that are used across the OneUptime platform. It is designed to be easy to install and use, and to be extensible. This library is built with React and TypeScript. It includes c Affected...
CVE-2026-27728
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in NetworkPathMonitor.performTraceroute allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell...
ROS-20260306-73-0008
A vulnerability in the at91gpioprobe function of the drivers/pinctrl/pinctrl-at91.c file of the Linux operating system kernel is related to reading data outside of buffer boundaries in memory. Exploitation of the vulnerability could allow an attacker to cause a denial of service...
Unity Linux 20.1070a Security Update: kernel (UTSA-2026-005676)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005676 advisory. In the Linux kernel, the following vulnerability has been resolved: usb: phy: phy-tahvo: fix memory leak in tahvousbprobe Smatch reports: drivers/usb/phy/phy-tahvo.c...