Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OneUptime — Vulnerabilities & Security Advisories 23

Browse all 23 CVE security advisories affecting OneUptime. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OneUptime operates as a monitoring and incident management platform, enabling organizations to track service availability and coordinate response efforts. Despite its utility in maintaining operational continuity, the software has faced significant scrutiny regarding its security posture, evidenced by the twenty-three recorded Common Vulnerabilities and Exposures (CVEs). Historical analysis reveals a pattern of critical flaws, primarily involving remote code execution and cross-site scripting, which allow attackers to compromise system integrity or steal user data. Additionally, privilege escalation vulnerabilities have been documented, potentially granting unauthorized users administrative control. These recurring issues suggest systemic weaknesses in input validation and access control mechanisms within the application’s architecture. While no single catastrophic public breach has been widely reported, the high volume of disclosed vulnerabilities indicates a need for rigorous security audits and proactive patch management to mitigate risks associated with its monitoring capabilities.

Found 23 results / 23Clear Filters
Top products by OneUptime: oneuptime
CVE IDTitleCVSSSeverityPublished
CVE-2026-35053 OneUptime: Unauthenticated Workflow Execution via ManualAPI — oneuptimeCWE-306 7.1AIHighAI2026-04-02
CVE-2026-34840 OneUptime SSO: Multi-Assertion Identity Injection via Decoupled Signature Verification — oneuptimeCWE-347 8.1 High2026-04-02
CVE-2026-34759 OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure — oneuptimeCWE-862 8.2AIHighAI2026-04-02
CVE-2026-34758 OneUptime: Missing Authentication on Notification Endpoints — oneuptimeCWE-306 9.1 Critical2026-04-02
CVE-2026-33396 OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe — oneuptimeCWE-78 10.0 Critical2026-03-26
CVE-2026-33142 OneUptime: ClickHouse SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters — oneuptimeCWE-89 8.1 High2026-03-20
CVE-2026-33143 OneUptime: WhatsApp Webhook Missing Signature Verification — oneuptimeCWE-345 5.3 -2026-03-20
CVE-2026-32598 OneUptime: Password Reset Token Logged at INFO Level — oneuptimeCWE-532 8.1 -2026-03-12
CVE-2026-32308 OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose") — oneuptimeCWE-79 7.6 High2026-03-12
CVE-2026-32306 OneUptime ClickHouse SQL Injection via Aggregate Query Parameters — oneuptimeCWE-89 10.0 Critical2026-03-12
CVE-2026-30959 OneUptime has WhatsApp Resend Verification Authorization Bypass — oneuptimeCWE-285 8.1AIHighAI2026-03-10
CVE-2026-30958 OneUptime: Path Traversal — Arbitrary File Read (No Auth) — oneuptimeCWE-22 7.2 High2026-03-10
CVE-2026-30957 OneUptime Synthetic Monitor RCE via exposed Playwright browser object — oneuptimeCWE-749 10.0 Critical2026-03-10
CVE-2026-30956 OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header — oneuptimeCWE-285 10.0 Critical2026-03-10
CVE-2026-30921 OneUptime Synthetic Monitor RCE via exposed Playwright browser object — oneuptimeCWE-749 10.0 Critical2026-03-09
CVE-2026-30920 OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding — oneuptimeCWE-345 8.6 High2026-03-09
CVE-2026-30887 OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE — oneuptimeCWE-94 10.0 Critical2026-03-09
CVE-2026-28787 OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay — oneuptimeCWE-287 8.2 High2026-03-06
CVE-2026-27728 OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() — oneuptimeCWE-78 10.0 Critical2026-02-25
CVE-2026-27574 OneUptime: node:vm sandbox escape in probe allows any project member to achieve RCE — oneuptimeCWE-94 10.0 Critical2026-02-21
CVE-2025-66028 OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation — oneuptimeCWE-284 8.8AIHighAI2025-11-26
CVE-2025-65966 OneUptime Unauthorized User Creation via API — oneuptimeCWE-285 4.3AIMediumAI2025-11-26
CVE-2024-29194 OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation — oneuptimeCWE-639 8.3 High2024-03-24

This page lists every published CVE security advisory associated with OneUptime. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.