CVE-2026-30957

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-30957

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30957.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-30957

Aliases

GHSA-jw8q-gjvg-8w4q

Published

2026-03-10T16:58:28.216Z

Modified

2026-04-10T05:42:03.404353Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

OneUptime Synthetic Monitor RCE via exposed Playwright browser object

Details

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.

Database specific

{
    "cwe_ids": [
        "CWE-749"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30957.json"
}

References

Affected packages

Git / github.com/oneuptime/oneuptime

Affected ranges

Type: GIT
Repo: https://github.com/oneuptime/oneuptime
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fed52fecd9cc384bc8cbc03d9765e5b610201eca

Affected versions

Other

${CI_PIPELINE_ID}

build-number-6149

build-number-6151

build-number-6206

build-number-6214

build-number-6343

build-number-6345

build-number-6372

build-number-6390

build-number-6393

build-number-6402

build-number-6408

10.*

10.0.11

10.0.15

10.0.16

10.0.17

10.0.18

10.0.20

10.0.5

10.0.7

6.*

6.0.$CI_PIPELINE_ID

6.0.1

6.0.12

6.0.14

6.0.15

6.0.17

6.0.18

6.0.19

6.0.2

6.0.20

6.0.21

6.0.22

6.0.23

6.0.24

6.0.25

6.0.26

6.0.27

7.*

7.0.1000

7.0.1004

7.0.1039

7.0.104

7.0.1055

7.0.106

7.0.1078

7.0.109

7.0.1093

7.0.11

7.0.112

7.0.114

7.0.1143

7.0.1144

7.0.1167

7.0.1174

7.0.1183

7.0.1184

7.0.1191

7.0.1192

7.0.1195

7.0.122

7.0.1225

7.0.1229

7.0.123

7.0.1230

7.0.1243

7.0.1246

7.0.126

7.0.1265

7.0.1290

7.0.1297

7.0.130

7.0.131

7.0.1326

7.0.1327

7.0.134

7.0.1341

7.0.1353

7.0.137

7.0.1375

7.0.1377

7.0.1378

7.0.1379

7.0.1383

7.0.139

7.0.141

7.0.1430

7.0.1436

7.0.144

7.0.1441

7.0.1461

7.0.1469

7.0.149

7.0.1491

7.0.1494

7.0.1500

7.0.1502

7.0.1505

7.0.1506

7.0.1510

7.0.1513

7.0.1514

7.0.1517

7.0.1528

7.0.1529

7.0.1544

7.0.1555

7.0.1557

7.0.1568

7.0.1581

7.0.1585

7.0.1586

7.0.160

7.0.162

7.0.1633

7.0.1637

7.0.1638

7.0.1642

7.0.1643

7.0.165

7.0.167

7.0.1688

7.0.169

7.0.1694

7.0.1697

7.0.1708

7.0.1709

7.0.1717

7.0.173

7.0.1740

7.0.1741

7.0.1744

7.0.1745

7.0.1751

7.0.1752

7.0.1758

7.0.1767

7.0.1769

7.0.1780

7.0.1787

7.0.179

7.0.1790

7.0.1791

7.0.1792

7.0.1794

7.0.1797

7.0.18

7.0.1800

7.0.1803

7.0.1814

7.0.1815

7.0.182

7.0.1829

7.0.183

7.0.1830

7.0.1843

7.0.1852

7.0.1854

7.0.1856

7.0.1858

7.0.1860

7.0.1862

7.0.1866

7.0.1867

7.0.1870

7.0.1871

7.0.1874

7.0.1880

7.0.1881

7.0.1886

7.0.1888

7.0.1891

7.0.1894

7.0.1901

7.0.1902

7.0.1910

7.0.1929

7.0.193

7.0.1930

7.0.1931

7.0.1934

7.0.1935

7.0.1940

7.0.1945

7.0.1965

7.0.1966

7.0.197

7.0.1978

7.0.1982

7.0.1987

7.0.200

7.0.2009

7.0.201

7.0.2012

7.0.2014

7.0.2016

7.0.2018

7.0.2032

7.0.2033

7.0.204

7.0.2051

7.0.2055

7.0.2057

7.0.2062

7.0.2063

7.0.2066

7.0.2084

7.0.2086

7.0.2088

7.0.21

7.0.2118

7.0.213

7.0.2171

7.0.2186

7.0.219

7.0.2190

7.0.2191

7.0.2195

7.0.2196

7.0.2200

7.0.2207

7.0.2223

7.0.2224

7.0.2231

7.0.2233

7.0.2237

7.0.2239

7.0.224

7.0.2240

7.0.2243

7.0.2246

7.0.2270

7.0.228

7.0.231

7.0.2319

7.0.2320

7.0.2327

7.0.2335

7.0.2341

7.0.2346

7.0.2349

7.0.2354

7.0.2358

7.0.2361

7.0.2363

7.0.2371

7.0.2372

7.0.2377

7.0.239

7.0.2401

7.0.2402

7.0.2410

7.0.2446

7.0.2448

7.0.2449

7.0.2471

7.0.2473

7.0.2475

7.0.2476

7.0.2478

7.0.2479

7.0.2482

7.0.2487

7.0.2509

7.0.2525

7.0.2550

7.0.2571

7.0.2572

7.0.2574

7.0.2589

7.0.2620

7.0.2625

7.0.2628

7.0.2639

7.0.2643

7.0.2666

7.0.2721

7.0.2725

7.0.2730

7.0.2774

7.0.2825

7.0.2828

7.0.2832

7.0.2837

7.0.2846

7.0.2873

7.0.2875

7.0.2885

7.0.290

7.0.2901

7.0.2908

7.0.291

7.0.2913

7.0.2920

7.0.2923

7.0.2928

7.0.2936

7.0.294

7.0.296

7.0.297

7.0.2972

7.0.2976

7.0.298

7.0.2994

7.0.3010

7.0.3018

7.0.3035

7.0.3038

7.0.3040

7.0.3052

7.0.3064

7.0.3076

7.0.3080

7.0.3086

7.0.3095

7.0.3113

7.0.3124

7.0.3126

7.0.3129

7.0.3140

7.0.3148

7.0.3153

7.0.3158

7.0.3163

7.0.3176

7.0.318

7.0.3188

7.0.3198

7.0.3206

7.0.321

7.0.3211

7.0.3212

7.0.3225

7.0.3227

7.0.3237

7.0.3240

7.0.3242

7.0.3245

7.0.3250

7.0.3260

7.0.3278

7.0.3279

7.0.3291

7.0.3300

7.0.3309

7.0.3330

7.0.3336

7.0.3338

7.0.3343

7.0.335

7.0.3350

7.0.3351

7.0.3357

7.0.336

7.0.3365

7.0.3377

7.0.3387

7.0.339

7.0.3393

7.0.3403

7.0.3405

7.0.341

7.0.3413

7.0.3426

7.0.3437

7.0.344

7.0.3442

7.0.3445

7.0.3448

7.0.3453

7.0.3456

7.0.346

7.0.3464

7.0.3471

7.0.348

7.0.3480

7.0.35

7.0.350

7.0.3515

7.0.3517

7.0.352

7.0.3526

7.0.3538

7.0.354

7.0.3546

7.0.3548

7.0.3549

7.0.355

7.0.3557

7.0.3565

7.0.3579

7.0.358

7.0.3599

7.0.360

7.0.361

7.0.3611

7.0.3617

7.0.362

7.0.363

7.0.365

7.0.3652

7.0.366

7.0.367

7.0.3679

7.0.368

7.0.3682

7.0.3688

7.0.369

7.0.3691

7.0.3697

7.0.3699

7.0.3705

7.0.3708

7.0.3786

7.0.38

7.0.3822

7.0.3826

7.0.3831

7.0.3840

7.0.3882

7.0.3887

7.0.39

7.0.3903

7.0.3911

7.0.3914

7.0.3918

7.0.3922

7.0.3928

7.0.3930

7.0.3935

7.0.3939

7.0.3949

7.0.395

7.0.3952

7.0.3956

7.0.3958

7.0.3962

7.0.3965

7.0.3966

7.0.3970

7.0.3974

7.0.3975

7.0.3976

7.0.398

7.0.3980

7.0.3987

7.0.399

7.0.3993

7.0.4019

7.0.403

7.0.4034

7.0.404

7.0.4041

7.0.4066

7.0.407

7.0.4078

7.0.4084

7.0.409

7.0.4090

7.0.4093

7.0.4098

7.0.4099

7.0.410

7.0.4100

7.0.4102

7.0.4114

7.0.4115

7.0.4116

7.0.4123

7.0.4129

7.0.413

7.0.4135

7.0.414

7.0.4142

7.0.4144

7.0.4148

7.0.4150

7.0.4156

7.0.4158

7.0.416

7.0.4161

7.0.4166

7.0.4176

7.0.4188

7.0.419

7.0.4193

7.0.4194

7.0.422

7.0.4222

7.0.4223

7.0.4226

7.0.4227

7.0.423

7.0.4230

7.0.4232

7.0.4235

7.0.4239

7.0.4245

7.0.4248

7.0.4250

7.0.4255

7.0.4257

7.0.426

7.0.4260

7.0.427

7.0.431

7.0.4310

7.0.4312

7.0.4313

7.0.432

7.0.4341

7.0.4344

7.0.4345

7.0.4346

7.0.4349

7.0.437

7.0.438

7.0.4395

7.0.4415

7.0.4453

7.0.4518

7.0.4541

7.0.4543

7.0.4547

7.0.4578

7.0.4585

7.0.4588

7.0.4596

7.0.4597

7.0.4604

7.0.4652

7.0.4660

7.0.4663

7.0.4665

7.0.4671

7.0.4676

7.0.4699

7.0.47

7.0.4717

7.0.4720

7.0.4741

7.0.4748

7.0.4751

7.0.4758

7.0.4762

7.0.4763

7.0.4766

7.0.4771

7.0.4773

7.0.4808

7.0.4810

7.0.4813

7.0.4815

7.0.4816

7.0.4825

7.0.4829

7.0.4832

7.0.4836

7.0.4844

7.0.4845

7.0.4848

7.0.4849

7.0.4868

7.0.4877

7.0.4917

7.0.4922

7.0.4972

7.0.4976

7.0.4978

7.0.4981

7.0.5029

7.0.5045

7.0.5058

7.0.5065

7.0.5068

7.0.5069

7.0.5077

7.0.5079

7.0.5080

7.0.5096

7.0.5098

7.0.5108

7.0.528

7.0.529

7.0.53

7.0.530

7.0.533

7.0.534

7.0.537

7.0.538

7.0.54

7.0.542

7.0.543

7.0.546

7.0.548

7.0.549

7.0.55

7.0.551

7.0.556

7.0.557

7.0.559

7.0.56

7.0.563

7.0.566

7.0.567

7.0.568

7.0.57

7.0.572

7.0.580

7.0.581

7.0.586

7.0.587

7.0.590

7.0.591

7.0.592

7.0.595

7.0.596

7.0.599

7.0.601

7.0.602

7.0.606

7.0.608

7.0.612

7.0.613

7.0.616

7.0.617

7.0.620

7.0.621

7.0.622

7.0.625

7.0.626

7.0.629

7.0.636

7.0.640

7.0.645

7.0.647

7.0.650

7.0.653

7.0.654

7.0.657

7.0.658

7.0.662

7.0.664

7.0.67

7.0.69

7.0.71

7.0.72

7.0.723

7.0.724

7.0.725

7.0.729

7.0.730

7.0.734

7.0.738

7.0.739

7.0.743

7.0.747

7.0.748

7.0.75

7.0.753

7.0.755

7.0.756

7.0.759

7.0.76

7.0.761

7.0.762

7.0.765

7.0.766

7.0.774

7.0.775

7.0.778

7.0.782

7.0.79

7.0.791

7.0.796

7.0.797

7.0.8

7.0.804

7.0.81

7.0.810

7.0.813

7.0.814

7.0.817

7.0.818

7.0.82

7.0.823

7.0.834

7.0.835

7.0.838

7.0.841

7.0.844

7.0.85

7.0.859

7.0.86

7.0.865

7.0.89

7.0.890

7.0.892

7.0.894

7.0.90

7.0.905

7.0.907

7.0.911

7.0.912

7.0.918

7.0.927

7.0.929

7.0.931

7.0.943

7.0.944

7.0.948

7.0.949

7.0.953

7.0.954

7.0.955

7.0.959

7.0.961

7.0.965

7.0.966

7.0.972

7.0.973

7.0.977

7.0.979

7.0.98

7.0.984

8.*

8.0.5124

8.0.5125

8.0.5129

8.0.5151

8.0.5159

8.0.5163

8.0.5167

8.0.5174

8.0.5181

8.0.5185

8.0.5199

8.0.5209

8.0.5219

8.0.5220

8.0.5237

8.0.5239

8.0.5312

8.0.5341

8.0.5353

8.0.5355

8.0.5358

8.0.5359

8.0.5362

8.0.5403

8.0.5409

8.0.5416

8.0.5438

8.0.5440

8.0.5466

8.0.5469

8.0.5489

8.0.5496

8.0.5516

8.0.5567

8.0.5570

8.0.5571

8.0.5572

8.0.5574

8.0.5579

8.0.5580

8.0.5584

9.*

9.0.5598

9.1.0

9.1.1

9.1.2

9.1.3

9.2.10

9.2.11

9.2.12

9.2.4

9.2.7

9.2.8

9.2.9

9.3.0

9.3.11

9.3.13

9.3.14

9.3.15

9.3.16

9.3.19

9.3.2

9.3.22

9.3.3

9.3.4

9.3.6

9.3.7

9.3.8

9.4.0

9.4.1

9.4.11

9.4.13

9.4.2

9.4.3

9.5.0

9.5.13

9.5.2

9.5.3

9.5.8

v4.*

v4.0.0

v4.0.1

v4.0.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30957.json"