CVE-2026-30958
published 2026-03-10CVE-2026-30958: OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName…
PriorityP267high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
0.46%
36.7th percentile
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hackerbay | oneuptime | < 10.0.21 | 10.0.21 |
| oneuptime | oneuptime | < 10.0.21 | 10.0.21 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-03-10
Published