npm package
@oneuptime/common
pkg:npm/%40oneuptime/common
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-30959 | — | < 10.0.21 | 10.0.21 | Mar 10, 2026 | OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects | ||
| CVE-2026-30957 | — | < 10.0.21 | 10.0.21 | Mar 10, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic | ||
| CVE-2026-30956 | — | < 10.0.21 | 10.0.21 | Mar 10, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid heade | ||
| CVE-2026-30921 | — | < 10.0.20 | 10.0.20 | Mar 9, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted c | ||
| CVE-2026-30920 | — | < 10.0.19 | 10.0.19 | Mar 9, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is a | ||
| CVE-2026-30887 | — | < 10.0.18 | 10.0.18 | Mar 9, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node | ||
| CVE-2026-28787 | — | <= 10.0.11 | — | Mar 6, 2026 | OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client reques | ||
| CVE-2026-27728 | — | < 10.0.7 | 10.0.7 | Feb 25, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server | ||
| CVE-2026-27574 | — | < 10.0.0 | 10.0.0 | Feb 21, 2026 | OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape vi | ||
| CVE-2025-66028 | — | < 8.0.5567 | 8.0.5567 | Nov 26, 2025 | OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By interceptin | ||
| CVE-2025-65966 | — | < 9.1.0 | 9.1.0 | Nov 26, 2025 | OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0. |
- CVE-2026-30959Mar 10, 2026affected < 10.0.21fixed 10.0.21
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects
- CVE-2026-30957Mar 10, 2026affected < 10.0.21fixed 10.0.21
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic
- CVE-2026-30956Mar 10, 2026affected < 10.0.21fixed 10.0.21
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid heade
- CVE-2026-30921Mar 9, 2026affected < 10.0.20fixed 10.0.20
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted c
- CVE-2026-30920Mar 9, 2026affected < 10.0.19fixed 10.0.19
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is a
- CVE-2026-30887Mar 9, 2026affected < 10.0.18fixed 10.0.18
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node
- CVE-2026-28787Mar 6, 2026affected <= 10.0.11
OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client reques
- CVE-2026-27728Feb 25, 2026affected < 10.0.7fixed 10.0.7
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server
- CVE-2026-27574Feb 21, 2026affected < 10.0.0fixed 10.0.0
OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape vi
- CVE-2025-66028Nov 26, 2025affected < 8.0.5567fixed 8.0.5567
OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By interceptin
- CVE-2025-65966Nov 26, 2025affected < 9.1.0fixed 9.1.0
OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0.