cbcvebase.
CVE-2026-30957
published 2026-03-10

CVE-2026-30957: OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated…

PriorityP273critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
1.15%
63.0th percentile
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.

Affected

3 ranges
VendorProductVersion rangeFixed in
hackerbayoneuptime< 10.0.2110.0.21
oneuptimecommon>= 0 < 10.0.2110.0.21
oneuptimeoneuptime< 10.0.2110.0.21
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.