Browse all 3 CVE security advisories affecting OneSignal. AI-powered Chinese analysis, POCs, and references for each vulnerability.
OneSignal provides customer engagement tools through push notifications, in-app messaging, and email marketing platforms. Historically, vulnerabilities have included stored cross-site scripting (XSS) and remote code execution (RCE) flaws, often stemming from improper input validation and insecure deserialization. The platform has faced security incidents, including a 2021 vulnerability (CVE-2021-44228) in its SDK that allowed RCE due to a Log4j flaw. Security characteristics include third-party integrations and API endpoints that require robust access controls. With three CVEs on record, the platform's security posture reflects common risks in web-based communication services, emphasizing the need for regular security assessments and prompt patch management.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-3155 | OneSignal – Web Push Notifications <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Post Meta Deletion via 'post_id' — OneSignal – Web Push NotificationsCWE-862 | 3.1 | Low | 2026-04-16 |
| CVE-2025-13950 | OneSignal – Web Push Notifications <= 3.6.1 - Missing Authorization to Unauthenticated Plugin Settings Update — OneSignal – Web Push NotificationsCWE-862 | 5.3 | Medium | 2025-12-15 |
| CVE-2023-28430 | OneSignal repository github action command injection — react-native-onesignalCWE-77 | 7.3 | High | 2023-03-27 |
This page lists every published CVE security advisory associated with OneSignal. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.