CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

149 matches found

Uptime-Kuma < v1.23.0 - Improper Access Control

Uptime-Kuma before v1.23.0 is vulnerable to an information disclosure issue due to missing authorization on the /api/badge/1/ping/24 endpoint. An unauthenticated attacker can access this endpoint to leak ping statistics, such as average ping and ping history, for existing monitors without needing...

5.3CVSS5.5AI score0.00425EPSS

Exploits1References2

RedhatCVE•added 2026/03/26 3:10 p.m.•3 views

CVE-2026-32230

Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query...

5.3CVSS5.9AI score0.00425EPSS

Exploits1References1

RedhatCVE•added 2026/03/26 3:8 p.m.•2 views

CVE-2026-33130

Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection SSTI. The three mitigations added to the Liquid engine root, relativeReference, dynamicPartials only block...

6.5CVSS5.7AI score0.00049EPSS

Exploits1References1

NVD•added 2026/03/20 10:16 a.m.•4 views

CVE-2026-33130

6.5CVSS0.00049EPSS

Exploits1References3

ATTACKERKB•added 2026/03/20 9:50 a.m.•3 views

CVE-2026-33130

6.5CVSS5.7AI score0.00049EPSS

Exploits1References4Affected Software1

EUVD•added 2026/03/20 9:50 a.m.•4 views

EUVD-2026-13670

6.5CVSS5.7AI score0.00049EPSS

Exploits1References3

Vulnrichment•added 2026/03/20 9:50 a.m.•4 views

CVE-2026-33130 Uptime Kuma: SSTI in Notification Templates Allows Arbitrary File Read (Incomplete Fix for GHSA-vffh-c9pq-4crh)

6.5CVSS5.7AI score0.00049EPSS

Exploits1References3

Cvelist•added 2026/03/20 9:50 a.m.•21 views

CVE-2026-33130 Uptime Kuma: SSTI in Notification Templates Allows Arbitrary File Read (Incomplete Fix for GHSA-vffh-c9pq-4crh)

6.5CVSS0.00049EPSS

Exploits1References3

OSV•added 2026/03/20 9:50 a.m.•3 views

CVE-2026-33130 Uptime Kuma: SSTI in Notification Templates Allows Arbitrary File Read (Incomplete Fix for GHSA-vffh-c9pq-4crh)

6.5CVSS5.8AI score0.00049EPSS

Exploits1References5

CVE•added 2026/03/20 9:50 a.m.•18 views

CVE-2026-33130

Uptime Kuma (versions 1.23.0–2.2.0) is affected by a server-side template injection (SSTI) in notification templates due to an incomplete fix for GHSA-vffh-c9pq-4crh. The Liquid engine mitigations added to limit path resolution (root, relativeReference, dynamicPartials) only block quoted paths; i...

6.5CVSS5.7AI score0.00049EPSS

Exploits1References3Affected Software1

CNNVD•added 2026/03/20 12:0 a.m.•3 views

Uptime Kuma 安全漏洞

Uptime Kuma is an easy-to-use, self-hosted monitoring tool developed by Louis Lam. Versions of Uptime Kuma from 1.23.0 to 2.2.0 contain security vulnerabilities. These vulnerabilities stem from incomplete protection against server-side template injections, which could allow unauthorized access to...

6.5CVSS5.8AI score0.00049EPSS

Exploits1References3

Positive Technologies•added 2026/03/20 12:0 a.m.•3 views

PT-2026-26603

6.5CVSS5.7AI score0.00049EPSS

Exploits1References5

NVD•added 2026/03/12 7:16 p.m.•3 views

CVE-2026-32230

5.3CVSS0.00425EPSS

Exploits1References5

CVE•added 2026/03/12 6:13 p.m.•20 views

CVE-2026-32230

Uptime Kuma (2.0.0–2.1.3) contains a missing authorization check on the GET /api/badge/:id/ping/:duration? endpoint. The ping badge endpoint does not verify that the target monitor belongs to a public group, unlike other badge endpoints that enforce public = 1 in SQL queries. This allows unauthen...

5.3CVSS5.8AI score0.00425EPSS

Exploits1References5Affected Software1

OSV•added 2026/03/12 6:13 p.m.•4 views

CVE-2026-32230 Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page

5.3CVSS5.8AI score0.00425EPSS

Exploits1References7

Vulnrichment•added 2026/03/12 6:13 p.m.•0 views

CVE-2026-32230 Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page

5.3CVSS5.8AI score0.00425EPSS

Exploits1References5

ATTACKERKB•added 2026/03/12 6:13 p.m.•3 views

CVE-2026-32230

5.3CVSS5.8AI score0.00425EPSS

Exploits1References6Affected Software1

Cvelist•added 2026/03/12 6:13 p.m.•24 views

CVE-2026-32230 Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page

5.3CVSS0.00425EPSS

Exploits1References5

Github Security Blog•added 2026/03/12 2:47 p.m.•8 views

Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page

Summary The GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely,...

5.3CVSS5.9AI score0.00425EPSS

Exploits1References7Affected Software1

EUVD•added 2026/03/12 2:47 p.m.•5 views

EUVD-2026-11665

Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page...

5.3CVSS5.8AI score0.00425EPSS

Exploits1References5

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by