OS Command Injection Vulnerability in OneUptime Monitoring Solution
CVE-2026-27728

10CRITICAL

Key Information:

Vendor: Oneuptime
Status: Oneuptime
Vendor: CVE Published:; 25 February 2026

What is CVE-2026-27728?

OneUptime, a service monitoring and management solution, contains an OS command injection vulnerability in the NetworkPathMonitor.performTraceroute() function. This flaw enables authenticated users to execute arbitrary operating system commands on the Probe server through injected shell metacharacters in the monitor's destination field. This issue is rectified in version 10.0.7, emphasizing the importance of updating to the latest version to maintain system security.

Affected Version(s)

oneuptime < 10.0.7

References

https://github.com/OneUptime/oneuptime/security/advisorie...

x_refsource_CONFIRM

https://github.com/OneUptime/oneuptime/commit/f2cce35a04f...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27728 Data

JSON

Oneuptime

What is CVE-2026-27728?

Affected Version(s)

References

CVSS V3.1

Timeline