cbcvebase.
CVE-2026-30958
published 2026-03-10

CVE-2026-30958: OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName…

PriorityP267high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
0.46%
36.7th percentile
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.

Affected

2 ranges
VendorProductVersion rangeFixed in
hackerbayoneuptime< 10.0.2110.0.21
oneuptimeoneuptime< 10.0.2110.0.21
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.