Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

oneuptime — Vulnerabilities & Security Advisories 23

All 23 CVE vulnerabilities found in oneuptime, with AI-generated Chinese analysis, references, and POCs.

Vendor: OneUptime

CVE IDTitleCVSSSeverityPublished
CVE-2026-35053 OneUptime: Unauthenticated Workflow Execution via ManualAPI CWE-306 7.1AIHighAI2026-04-02
CVE-2026-34840 OneUptime SSO: Multi-Assertion Identity Injection via Decoupled Signature Verification CWE-347 8.1 High2026-04-02
CVE-2026-34759 OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure CWE-862 8.2AIHighAI2026-04-02
CVE-2026-34758 OneUptime: Missing Authentication on Notification Endpoints CWE-306 9.1 Critical2026-04-02
CVE-2026-33396 OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe CWE-78 10.0 Critical2026-03-26
CVE-2026-33142 OneUptime: ClickHouse SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters CWE-89 8.1 High2026-03-20
CVE-2026-33143 OneUptime: WhatsApp Webhook Missing Signature Verification CWE-345 5.3 -2026-03-20
CVE-2026-32598 OneUptime: Password Reset Token Logged at INFO Level CWE-532 8.1 -2026-03-12
CVE-2026-32308 OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose") CWE-79 7.6 High2026-03-12
CVE-2026-32306 OneUptime ClickHouse SQL Injection via Aggregate Query Parameters CWE-89 10.0 Critical2026-03-12
CVE-2026-30959 OneUptime has WhatsApp Resend Verification Authorization Bypass CWE-285 8.1AIHighAI2026-03-10
CVE-2026-30958 OneUptime: Path Traversal — Arbitrary File Read (No Auth) CWE-22 7.2 High2026-03-10
CVE-2026-30957 OneUptime Synthetic Monitor RCE via exposed Playwright browser object CWE-749 10.0 Critical2026-03-10
CVE-2026-30956 OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header CWE-285 10.0 Critical2026-03-10
CVE-2026-30921 OneUptime Synthetic Monitor RCE via exposed Playwright browser object CWE-749 10.0 Critical2026-03-09
CVE-2026-30920 OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding CWE-345 8.6 High2026-03-09
CVE-2026-30887 OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE CWE-94 10.0 Critical2026-03-09
CVE-2026-28787 OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay CWE-287 8.2 High2026-03-06
CVE-2026-27728 OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() CWE-78 10.0 Critical2026-02-25
CVE-2026-27574 OneUptime: node:vm sandbox escape in probe allows any project member to achieve RCE CWE-94 10.0 Critical2026-02-21
CVE-2025-66028 OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation CWE-284 8.8AIHighAI2025-11-26
CVE-2025-65966 OneUptime Unauthorized User Creation via API CWE-285 4.3AIMediumAI2025-11-26
CVE-2024-29194 OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation CWE-639 8.3 High2024-03-24

All 23 known CVE vulnerabilities affecting oneuptime with full Chinese analysis, references, and POCs where available.