cbcvebase.

Louislam Uptime-Kuma vulnerabilities

10 known vulnerabilities affecting louislam/uptime-kuma.

Total CVEs
10
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM6

Vulnerabilities

Page 1 of 1
CVE-2024-56331P3MEDIUMCVSS 6.8PoCv>= 1.23.0, < 1.23.16v= 2.0.0-beta.02024-12-20
CVE-2024-56331 [MEDIUM] CWE-22 CVE-2024-56331: Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` protocol. This vulnerability is triggered via the **"real-browser"** request type, which takes a screenshot of the URL provided by the attacker. By supplyi
ghsanvdosv
CVE-2026-32230P3MEDIUMCVSS 5.3PoCv>= 2.0.0, < 2.2.02026-03-12
CVE-2026-32230 [MEDIUM] CWE-862 CVE-2026-32230: Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this c
ghsanvdosv
CVE-2023-36821P2HIGHCVSS 8.8fixed in 1.22.12023-07-05
CVE-2023-36821 [HIGH] CWE-20 CVE-2023-36821: Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciousl Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the correspond
ghsanvdosv
CVE-2023-49805P3HIGHCVSS 8.8fixed in 1.23.92023-12-11
CVE-2023-49805 [HIGH] CWE-1385 CVE-2023-49805: Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not va
nvd
CVE-2023-36822P3HIGHCVSS 8.1fixed in 1.22.12023-07-05
CVE-2023-36822 [HIGH] CWE-22 CVE-2023-36822: Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to 1.22.1. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. Before a plugin is downloaded
ghsanvdosv
CVE-2023-44400P3HIGHCVSS 7.8fixed in 1.23.92023-10-09
CVE-2023-44400 [HIGH] CWE-384 CVE-2023-44400: Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a us Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 has a patch for the issue.
ghsanvdosv
CVE-2026-33130P3MEDIUMCVSS 6.5v>= 1.23.0, < 2.2.12026-03-20
CVE-2026-33130 [MEDIUM] CWE-98 CVE-2026-33130: Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fi Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute p
nvd
CVE-2023-49276P4MEDIUMCVSS 6.1v>= 1.20.0, < 1.23.72023-12-01
CVE-2023-49276 [MEDIUM] CWE-79 CVE-2023-49276: Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in vulnerable to Attribute Injection leading to Cross-Site-Scripting (XSS). Since the custom status interface can set an independent Google Analytics ID and the template has not been sanitized, there is an attribute injection vulnerability her
ghsanvdosv
CVE-2023-25811P4MEDIUMCVSS 5.4fixed in 1.20.02023-02-21
CVE-2023-25811 [MEDIUM] CWE-79 CVE-2023-25811: Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` par Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability.
nvd
CVE-2023-25810P4MEDIUMCVSS 5.4fixed in 1.20.02023-02-21
CVE-2023-25810 [MEDIUM] CWE-79 CVE-2023-25810: Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status pag Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability.
nvd
Louislam Uptime-Kuma vulnerabilities | cvebase