Remote Code Execution Vulnerability in OneUptime by OneUptime
CVE-2026-30957

10CRITICAL

Key Information:

Vendor: Oneuptime
Status: Oneuptime
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-30957?

OneUptime, a monitoring solution, has a vulnerability that allows low-privileged authenticated project users to execute arbitrary commands on the oneuptime-probe server. This arises from the execution of untrusted code within Node's virtual machine, exposing live Playwright browser and page objects. A malicious user can exploit this by calling Playwright APIs on the compromised browser object, leading to the deployment of attacker-controlled executables. This issue affects versions prior to 10.0.21 and has been addressed in the latest release.

Affected Version(s)

oneuptime < 10.0.21

References

https://github.com/OneUptime/oneuptime/security/advisorie...

x_refsource_CONFIRM

https://github.com/OneUptime/oneuptime/releases/tag/10.0.21

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 7, 2026

CVE-2026-30957 Data

JSON

Oneuptime

What is CVE-2026-30957?

Affected Version(s)

References

CVSS V3.1

Timeline