| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-35053 | OneUptime: Unauthenticated Workflow Execution via ManualAPI | OneUptime | oneuptime | - | - | 2026-04-02 18:55:49 | Deep Dive |
| CVE-2026-34840 | OneUptime SSO: Multi-Assertion Identity Injection via Decoupled Signature Verification | OneUptime | oneuptime | High | 8.1 | 2026-04-02 18:52:48 | Deep Dive |
| CVE-2026-34759 | OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure | OneUptime | oneuptime | - | - | 2026-04-02 18:50:55 | Deep Dive |
| CVE-2026-34758 | OneUptime: Missing Authentication on Notification Endpoints | OneUptime | oneuptime | Critical | 9.1 | 2026-04-02 18:49:30 | Deep Dive |
| CVE-2026-33396 | OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe | OneUptime | oneuptime | Critical | 9.9 | 2026-03-26 13:40:12 | Deep Dive |
| CVE-2026-33142 | OneUptime: ClickHouse SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters | OneUptime | oneuptime | High | 8.1 | 2026-03-20 20:05:20 | Deep Dive |
| CVE-2026-33143 | OneUptime: WhatsApp Webhook Missing Signature Verification | OneUptime | oneuptime | 中危 | - | 2026-03-20 20:05:14 | Deep Dive |
| CVE-2026-32598 | OneUptime: Password Reset Token Logged at INFO Level | OneUptime | oneuptime | 中危 | - | 2026-03-12 21:31:13 | Deep Dive |
| CVE-2026-32308 | OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose") | OneUptime | oneuptime | High | 7.6 | 2026-03-12 21:29:01 | Deep Dive |
| CVE-2026-32306 | OneUptime ClickHouse SQL Injection via Aggregate Query Parameters | OneUptime | oneuptime | Critical | 9.9 | 2026-03-12 21:27:51 | Deep Dive |
| CVE-2026-30959 | OneUptime has WhatsApp Resend Verification Authorization Bypass | OneUptime | oneuptime | - | - | 2026-03-10 17:06:34 | Deep Dive |
| CVE-2026-30958 | OneUptime: Path Traversal — Arbitrary File Read (No Auth) | OneUptime | oneuptime | High | 7.2 | 2026-03-10 17:01:44 | Deep Dive |
| CVE-2026-30957 | OneUptime Synthetic Monitor RCE via exposed Playwright browser object | OneUptime | oneuptime | Critical | 9.9 | 2026-03-10 16:58:28 | Deep Dive |
| CVE-2026-30956 | OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header | OneUptime | oneuptime | Critical | 9.9 | 2026-03-10 16:56:29 | Deep Dive |
| CVE-2026-30921 | OneUptime Synthetic Monitor RCE via exposed Playwright browser object | OneUptime | oneuptime | Critical | 9.9 | 2026-03-09 22:58:59 | Deep Dive |
| CVE-2026-30920 | OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding | OneUptime | oneuptime | High | 8.6 | 2026-03-09 22:57:06 | Deep Dive |
| CVE-2026-30887 | OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE | OneUptime | oneuptime | Critical | 9.9 | 2026-03-09 22:40:04 | Deep Dive |
| CVE-2026-28787 | OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay | OneUptime | oneuptime | High | 8.2 | 2026-03-06 04:55:41 | Deep Dive |
| CVE-2026-27728 | OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() | OneUptime | oneuptime | Critical | 9.9 | 2026-02-25 16:25:10 | Deep Dive |
| CVE-2026-27574 | OneUptime: node:vm sandbox escape in probe allows any project member to achieve RCE | OneUptime | oneuptime | Critical | 9.9 | 2026-02-21 10:13:04 | Deep Dive |