npm package
uptime-kuma
pkg:npm/uptime-kuma
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32230 | — | >= 2.0.0, < 2.2.0 | 2.2.0 | Mar 12, 2026 | Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 i | ||
| CVE-2025-26042 | Med | 6.0 | >= 1.15.0, <= 1.23.16 | — | Mar 17, 2025 | Uptime Kuma >== 1.23.0 has a ReDoS vulnerability, specifically when an administrator creates a notification through the web service. If a string is provided it triggers catastrophic backtracking in the regular expression, leading to a ReDoS attack. | |
| CVE-2024-56331 | Med | 6.8 | >= 1.23.0, < 1.23.16 | 1.23.16 | Dec 20, 2024 | Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` protocol. This vulnerability is triggered via the **"real-browser"** request type, | |
| CVE-2023-49804 | — | < 1.23.9 | 1.23.9 | Dec 11, 2023 | Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being logged out. This behavior persists consistently, even after system restarts or bro | ||
| CVE-2023-49276 | — | >= 1.20.0, < 1.23.7 | 1.23.7 | Dec 1, 2023 | Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in vulnerable to Attribute Injection leading to Cross-Site-Scripting (XSS). Since the custom status interface can set an independent Google Analytics ID and the template h | ||
| CVE-2023-44400 | — | < 1.23.3 | 1.23.3 | Oct 9, 2023 | Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 ha | ||
| CVE-2023-36822 | — | < 1.22.1 | 1.22.1 | Jul 5, 2023 | Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to 1.22.1. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding A | ||
| CVE-2023-36821 | — | < 1.22.1 | 1.22.1 | Jul 5, 2023 | Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. T |
- CVE-2026-32230Mar 12, 2026affected >= 2.0.0, < 2.2.0fixed 2.2.0
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 i
- affected >= 1.15.0, <= 1.23.16
Uptime Kuma >== 1.23.0 has a ReDoS vulnerability, specifically when an administrator creates a notification through the web service. If a string is provided it triggers catastrophic backtracking in the regular expression, leading to a ReDoS attack.
- affected >= 1.23.0, < 1.23.16fixed 1.23.16
Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` protocol. This vulnerability is triggered via the **"real-browser"** request type,
- CVE-2023-49804Dec 11, 2023affected < 1.23.9fixed 1.23.9
Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being logged out. This behavior persists consistently, even after system restarts or bro
- CVE-2023-49276Dec 1, 2023affected >= 1.20.0, < 1.23.7fixed 1.23.7
Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in vulnerable to Attribute Injection leading to Cross-Site-Scripting (XSS). Since the custom status interface can set an independent Google Analytics ID and the template h
- CVE-2023-44400Oct 9, 2023affected < 1.23.3fixed 1.23.3
Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 ha
- CVE-2023-36822Jul 5, 2023affected < 1.22.1fixed 1.22.1
Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to 1.22.1. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding A
- CVE-2023-36821Jul 5, 2023affected < 1.22.1fixed 1.22.1
Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. T