This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: OneUptime β€ v9.5.13 suffers from **Code Injection** via the insecure `node:vm` module in Custom JavaScript monitoring. π **Consequences**: Sandbox escape leading to **Full Cluster Compromise** (RCE).
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: **CWE-94** (Code Injection). The flaw lies in using an unsafe `node:vm` module to execute user-supplied JavaScript code without proper isolation. β οΈ
Q3Who is affected? (Versions/Components)
π― **Affected**: **OneUptime** versions **9.5.13 and earlier**. Specifically the **Custom JavaScript Monitoring** feature. π¦
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: Gains **High Privileges**. Can escape the sandbox, execute arbitrary code, and achieve **Complete Cluster Break-in**. Data integrity & availability are at risk. π
Q5Is exploitation threshold high? (Auth/Config)
π **Exploitation Threshold**: **Low**. Requires **Low Privileges** (PR:L) and **Low Complexity** (AC:L). No User Interaction (UI:N) needed. Network accessible (AV:N). π
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exploit**: **Yes**. A PoC is available on GitHub: `mbanyamer/CVE-2026-27574-OneUptime-RCE`. Wild exploitation is possible. π£
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for **OneUptime** instances running version **β€ 9.5.13**. Check if **Custom JavaScript Monitoring** is enabled. Look for `node:vm` usage in the codebase. π§