CVE-2026-27728
published 2026-02-25CVE-2026-27728: OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in…
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.73%
74.7th percentile
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field. Version 10.0.7 fixes the vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hackerbay | oneuptime | < 10.0.7 | 10.0.7 |
| oneuptime | common | >= 0 < 10.0.7 | 10.0.7 |
| oneuptime | oneuptime | < 10.0.7 | 10.0.7 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()
ghsa·2026-02-25
CVE-2026-27728 [CRITICAL] CWE-78 OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()
OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()
## Summary
An OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field.
## Details
The vulnerability exists in [`Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts`](Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts), lines 149–191.
The `performTraceroute()` method constructs a shell command by directly interpolating the user-controlled `destination` parameter into a string template, then executes it via `child_process.exec()` (wrapped through `promisify`):
```typescript
//
OSV
OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()
osv·2026-02-25
CVE-2026-27728 [CRITICAL] OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()
OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()
## Summary
An OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field.
## Details
The vulnerability exists in [`Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts`](Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts), lines 149–191.
The `performTraceroute()` method constructs a shell command by directly interpolating the user-controlled `destination` parameter into a string template, then executes it via `child_process.exec()` (wrapped through `promisify`):
```typescript
//
No detection rules found.
No public exploits indexed.
2026-02-25
Published