VYPR

npm package

oneuptime

pkg:npm/oneuptime

Vulnerabilities (5)

  • CVE-2026-33142Mar 20, 2026
    affected < 10.0.34fixed 10.0.34

    OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to thr

  • CVE-2026-33143Mar 20, 2026
    affected < 10.0.34fixed 10.0.34

    OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowi

  • CVE-2026-32598Mar 12, 2026
    affected < 10.0.23fixed 10.0.23

    OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to applica

  • CVE-2026-32308Mar 12, 2026
    affected < 10.0.23fixed 10.0.23

    OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in M

  • CVE-2026-32306Mar 12, 2026
    affected < 10.0.23fixed 10.0.23

    OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL quer