CVE-2026-30921
published 2026-03-10CVE-2026-30921: OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to…
PriorityP264critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.45%
35.5th percentile
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hackerbay | oneuptime | < 10.0.20 | 10.0.20 |
| oneuptime | common | >= 0 < 10.0.20 | 10.0.20 |
| oneuptime | oneuptime | < 10.0.20 | 10.0.20 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
osv·2026-03-07
CVE-2026-30921 [CRITICAL] OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
Summary
OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the `oneuptime-probe` service. In the current implementation, this untrusted code is run inside Node's `vm` and is given live host Playwright objects such as `browser` and `page`.
This creates a distinct server-side RCE primitive: the attacker does not need the classic `this.constructor.constructor(...)` sandbox escape. Instead, the attacker can directly use the injected Playwright `browser` object to reach `browser.browserType().launch(...)` and spawn an arbitrary executable on the probe host/container.
This appears to be a separate issue from the previously published `node:vm(GHSA-h343-gg57-
GHSA
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
ghsa·2026-03-07
CVE-2026-30921 [CRITICAL] CWE-749 OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
Summary
OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the `oneuptime-probe` service. In the current implementation, this untrusted code is run inside Node's `vm` and is given live host Playwright objects such as `browser` and `page`.
This creates a distinct server-side RCE primitive: the attacker does not need the classic `this.constructor.constructor(...)` sandbox escape. Instead, the attacker can directly use the injected Playwright `browser` object to reach `browser.browserType().launch(...)` and spawn an arbitrary executable on the probe host/container.
This appears to be a separate issue from the previously published `node:vm(GHSA-h343-gg57-
No detection rules found.
No public exploits indexed.
2026-03-10
Published