npm package
oneuptime
pkg:npm/oneuptime
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33142 | — | < 10.0.34 | 10.0.34 | Mar 20, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to thr | ||
| CVE-2026-33143 | — | < 10.0.34 | 10.0.34 | Mar 20, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowi | ||
| CVE-2026-32598 | — | < 10.0.23 | 10.0.23 | Mar 12, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to applica | ||
| CVE-2026-32308 | — | < 10.0.23 | 10.0.23 | Mar 12, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in M | ||
| CVE-2026-32306 | — | < 10.0.23 | 10.0.23 | Mar 12, 2026 | OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL quer |
- CVE-2026-33142Mar 20, 2026affected < 10.0.34fixed 10.0.34
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to thr
- CVE-2026-33143Mar 20, 2026affected < 10.0.34fixed 10.0.34
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowi
- CVE-2026-32598Mar 12, 2026affected < 10.0.23fixed 10.0.23
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to applica
- CVE-2026-32308Mar 12, 2026affected < 10.0.23fixed 10.0.23
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in M
- CVE-2026-32306Mar 12, 2026affected < 10.0.23fixed 10.0.23
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL quer