Uptime.Kuma Uptime Kuma vulnerabilities
6 known vulnerabilities affecting uptime.kuma/uptime_kuma.
Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-32230P3MEDIUMCVSS 5.3PoC≥ 2.0.0, < 2.2.02026-03-12
CVE-2026-32230 [MEDIUM] CWE-862 CVE-2026-32230: Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this c
nvd
CVE-2023-49805P3HIGHCVSS 8.8fixed in 1.23.92023-12-11
CVE-2023-49805 [HIGH] CWE-1385 CVE-2023-49805: Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application
Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not va
nvd
CVE-2023-44400P3HIGHCVSS 7.8fixed in 1.23.32023-10-09
CVE-2023-44400 [HIGH] CWE-384 CVE-2023-44400: Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a us
Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 has a patch for the issue.
nvd
CVE-2023-49804P3HIGHCVSS 7.8fixed in 1.23.92023-12-11
CVE-2023-49804 [HIGH] CVE-2023-49804: Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user chan
Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being logged out. This behavior persists consistently, even after system restarts or browser restarts. This vulnerability allows unauthorized access to user accounts, co
nvd
CVE-2026-33130P3MEDIUMCVSS 6.5≥ 1.23.0, < 2.2.12026-03-20
CVE-2026-33130 [MEDIUM] CWE-98 CVE-2026-33130: Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fi
Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute p
nvd
CVE-2023-49276P4MEDIUMCVSS 6.1≥ 1.20.0, < 1.23.72023-12-01
CVE-2023-49276 [MEDIUM] CWE-79 CVE-2023-49276: Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics
Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in vulnerable to Attribute Injection leading to Cross-Site-Scripting (XSS). Since the custom status interface can set an independent Google Analytics ID and the template has not been sanitized, there is an attribute injection vulnerability her
nvd