CVE-2026-33396

Source
https://cve.org/CVERecord?id=CVE-2026-33396
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33396.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33396
Aliases
  • GHSA-cqpg-phpp-9jjg
Published
2026-03-26T13:40:12.145Z
Modified
2026-07-15T01:48:53.192771429Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe
Details

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are not blocked, so attacker code can traverse page.context().browser()._browserType.launchServer(...) and spawn arbitrary processes. Version 10.0.35 contains a patch.

Database specific
{
    "cwe_ids": [
        "CWE-184",
        "CWE-693",
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33396.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/oneuptime/oneuptime

Affected ranges

Type
GIT
Repo
https://github.com/oneuptime/oneuptime
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.0.35"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

Other
${CI_PIPELINE_ID}
build-number-6149
build-number-6151
build-number-6206
build-number-6214
build-number-6343
build-number-6345
build-number-6372
build-number-6390
build-number-6393
build-number-6402
build-number-6408
build-number-6480
build-number-6484
build-number-6508
10.*
10.0.11
10.0.15
10.0.16
10.0.17
10.0.18
10.0.20
10.0.21
10.0.22
10.0.23
10.0.24
10.0.26
10.0.28
10.0.31
10.0.33
10.0.34
10.0.5
10.0.7
6.*
6.0.$CI_PIPELINE_ID
6.0.1
6.0.12
6.0.14
6.0.15
6.0.17
6.0.18
6.0.19
6.0.2
6.0.20
6.0.21
6.0.22
6.0.23
6.0.24
6.0.25
6.0.26
6.0.27
7.*
7.0.1000
7.0.1004
7.0.1039
7.0.104
7.0.1055
7.0.106
7.0.1078
7.0.109
7.0.1093
7.0.11
7.0.112
7.0.114
7.0.1143
7.0.1144
7.0.1167
7.0.1174
7.0.1183
7.0.1184
7.0.1191
7.0.1192
7.0.1195
7.0.122
7.0.1225
7.0.1229
7.0.123
7.0.1230
7.0.1243
7.0.1246
7.0.126
7.0.1265
7.0.1290
7.0.1297
7.0.130
7.0.131
7.0.1326
7.0.1327
7.0.134
7.0.1341
7.0.1353
7.0.137
7.0.1375
7.0.1377
7.0.1378
7.0.1379
7.0.1383
7.0.139
7.0.141
7.0.1430
7.0.1436
7.0.144
7.0.1441
7.0.1461
7.0.1469
7.0.149
7.0.1491
7.0.1494
7.0.1500
7.0.1502
7.0.1505
7.0.1506
7.0.1510
7.0.1513
7.0.1514
7.0.1517
7.0.1528
7.0.1529
7.0.1544
7.0.1555
7.0.1557
7.0.1568
7.0.1581
7.0.1585
7.0.1586
7.0.160
7.0.162
7.0.1633
7.0.1637
7.0.1638
7.0.1642
7.0.1643
7.0.165
7.0.167
7.0.1688
7.0.169
7.0.1694
7.0.1697
7.0.1708
7.0.1709
7.0.1717
7.0.173
7.0.1740
7.0.1741
7.0.1744
7.0.1745
7.0.1751
7.0.1752
7.0.1758
7.0.1767
7.0.1769
7.0.1780
7.0.1787
7.0.179
7.0.1790
7.0.1791
7.0.1792
7.0.1794
7.0.1797
7.0.18
7.0.1800
7.0.1803
7.0.1814
7.0.1815
7.0.182
7.0.1829
7.0.183
7.0.1830
7.0.1843
7.0.1852
7.0.1854
7.0.1856
7.0.1858
7.0.1860
7.0.1862
7.0.1866
7.0.1867
7.0.1870
7.0.1871
7.0.1874
7.0.1880
7.0.1881
7.0.1886
7.0.1888
7.0.1891
7.0.1894
7.0.1901
7.0.1902
7.0.1910
7.0.1929
7.0.193
7.0.1930
7.0.1931
7.0.1934
7.0.1935
7.0.1940
7.0.1945
7.0.1965
7.0.1966
7.0.197
7.0.1978
7.0.1982
7.0.1987
7.0.200
7.0.2009
7.0.201
7.0.2012
7.0.2014
7.0.2016
7.0.2018
7.0.2032
7.0.2033
7.0.204
7.0.2051
7.0.2055
7.0.2057
7.0.2062
7.0.2063
7.0.2066
7.0.2084
7.0.2086
7.0.2088
7.0.21
7.0.2118
7.0.213
7.0.2171
7.0.2186
7.0.219
7.0.2190
7.0.2191
7.0.2195
7.0.2196
7.0.2200
7.0.2207
7.0.2223
7.0.2224
7.0.2231
7.0.2233
7.0.2237
7.0.2239
7.0.224
7.0.2240
7.0.2243
7.0.2246
7.0.2270
7.0.228
7.0.231
7.0.2319
7.0.2320
7.0.2327
7.0.2335
7.0.2341
7.0.2346
7.0.2349
7.0.2354
7.0.2358
7.0.2361
7.0.2363
7.0.2371
7.0.2372
7.0.2377
7.0.239
7.0.2401
7.0.2402
7.0.2410
7.0.2446
7.0.2448
7.0.2449
7.0.2471
7.0.2473
7.0.2475
7.0.2476
7.0.2478
7.0.2479
7.0.2482
7.0.2487
7.0.2509
7.0.2525
7.0.2550
7.0.2571
7.0.2572
7.0.2574
7.0.2589
7.0.2620
7.0.2625
7.0.2628
7.0.2639
7.0.2643
7.0.2666
7.0.2721
7.0.2725
7.0.2730
7.0.2774
7.0.2825
7.0.2828
7.0.2832
7.0.2837
7.0.2846
7.0.2873
7.0.2875
7.0.2885
7.0.290
7.0.2901
7.0.2908
7.0.291
7.0.2913
7.0.2920
7.0.2923
7.0.2928
7.0.2936
7.0.294
7.0.296
7.0.297
7.0.2972
7.0.2976
7.0.298
7.0.2994
7.0.3010
7.0.3018
7.0.3035
7.0.3038
7.0.3040
7.0.3052
7.0.3064
7.0.3076
7.0.3080
7.0.3086
7.0.3095
7.0.3113
7.0.3124
7.0.3126
7.0.3129
7.0.3140
7.0.3148
7.0.3153
7.0.3158
7.0.3163
7.0.3176
7.0.318
7.0.3188
7.0.3198
7.0.3206
7.0.321
7.0.3211
7.0.3212
7.0.3225
7.0.3227
7.0.3237
7.0.3240
7.0.3242
7.0.3245
7.0.3250
7.0.3260
7.0.3278
7.0.3279
7.0.3291
7.0.3300
7.0.3309
7.0.3330
7.0.3336
7.0.3338
7.0.3343
7.0.335
7.0.3350
7.0.3351
7.0.3357
7.0.336
7.0.3365
7.0.3377
7.0.3387
7.0.339
7.0.3393
7.0.3403
7.0.3405
7.0.341
7.0.3413
7.0.3426
7.0.3437
7.0.344
7.0.3442
7.0.3445
7.0.3448
7.0.3453
7.0.3456
7.0.346
7.0.3464
7.0.3471
7.0.348
7.0.3480
7.0.35
7.0.350
7.0.3515
7.0.3517
7.0.352
7.0.3526
7.0.3538
7.0.354
7.0.3546
7.0.3548
7.0.3549
7.0.355
7.0.3557
7.0.3565
7.0.3579
7.0.358
7.0.3599
7.0.360
7.0.361
7.0.3611
7.0.3617
7.0.362
7.0.363
7.0.365
7.0.3652
7.0.366
7.0.367
7.0.3679
7.0.368
7.0.3682
7.0.3688
7.0.369
7.0.3691
7.0.3697
7.0.3699
7.0.3705
7.0.3708
7.0.3786
7.0.38
7.0.3822
7.0.3826
7.0.3831
7.0.3840
7.0.3882
7.0.3887
7.0.39
7.0.3903
7.0.3911
7.0.3914
7.0.3918
7.0.3922
7.0.3928
7.0.3930
7.0.3935
7.0.3939
7.0.3949
7.0.395
7.0.3952
7.0.3956
7.0.3958
7.0.3962
7.0.3965
7.0.3966
7.0.3970
7.0.3974
7.0.3975
7.0.3976
7.0.398
7.0.3980
7.0.3987
7.0.399
7.0.3993
7.0.4019
7.0.403
7.0.4034
7.0.404
7.0.4041
7.0.4066
7.0.407
7.0.4078
7.0.4084
7.0.409
7.0.4090
7.0.4093
7.0.4098
7.0.4099
7.0.410
7.0.4100
7.0.4102
7.0.4114
7.0.4115
7.0.4116
7.0.4123
7.0.4129
7.0.413
7.0.4135
7.0.414
7.0.4142
7.0.4144
7.0.4148
7.0.4150
7.0.4156
7.0.4158
7.0.416
7.0.4161
7.0.4166
7.0.4176
7.0.4188
7.0.419
7.0.4193
7.0.4194
7.0.422
7.0.4222
7.0.4223
7.0.4226
7.0.4227
7.0.423
7.0.4230
7.0.4232
7.0.4235
7.0.4239
7.0.4245
7.0.4248
7.0.4250
7.0.4255
7.0.4257
7.0.426
7.0.4260
7.0.427
7.0.431
7.0.4310
7.0.4312
7.0.4313
7.0.432
7.0.4341
7.0.4344
7.0.4345
7.0.4346
7.0.4349
7.0.437
7.0.438
7.0.4395
7.0.4415
7.0.4453
7.0.4518
7.0.4541
7.0.4543
7.0.4547
7.0.4578
7.0.4585
7.0.4588
7.0.4596
7.0.4597
7.0.4604
7.0.4652
7.0.4660
7.0.4663
7.0.4665
7.0.4671
7.0.4676
7.0.4699
7.0.47
7.0.4717
7.0.4720
7.0.4741
7.0.4748
7.0.4751
7.0.4758
7.0.4762
7.0.4763
7.0.4766
7.0.4771
7.0.4773
7.0.4808
7.0.4810
7.0.4813
7.0.4815
7.0.4816
7.0.4825
7.0.4829
7.0.4832
7.0.4836
7.0.4844
7.0.4845
7.0.4848
7.0.4849
7.0.4868
7.0.4877
7.0.4917
7.0.4922
7.0.4972
7.0.4976
7.0.4978
7.0.4981
7.0.5029
7.0.5045
7.0.5058
7.0.5065
7.0.5068
7.0.5069
7.0.5077
7.0.5079
7.0.5080
7.0.5096
7.0.5098
7.0.5108
7.0.528
7.0.529
7.0.53
7.0.530
7.0.533
7.0.534
7.0.537
7.0.538
7.0.54
7.0.542
7.0.543
7.0.546
7.0.548
7.0.549
7.0.55
7.0.551
7.0.556
7.0.557
7.0.559
7.0.56
7.0.563
7.0.566
7.0.567
7.0.568
7.0.57
7.0.572
7.0.580
7.0.581
7.0.586
7.0.587
7.0.590
7.0.591
7.0.592
7.0.595
7.0.596
7.0.599
7.0.601
7.0.602
7.0.606
7.0.608
7.0.612
7.0.613
7.0.616
7.0.617
7.0.620
7.0.621
7.0.622
7.0.625
7.0.626
7.0.629
7.0.636
7.0.640
7.0.645
7.0.647
7.0.650
7.0.653
7.0.654
7.0.657
7.0.658
7.0.662
7.0.664
7.0.67
7.0.69
7.0.71
7.0.72
7.0.723
7.0.724
7.0.725
7.0.729
7.0.730
7.0.734
7.0.738
7.0.739
7.0.743
7.0.747
7.0.748
7.0.75
7.0.753
7.0.755
7.0.756
7.0.759
7.0.76
7.0.761
7.0.762
7.0.765
7.0.766
7.0.774
7.0.775
7.0.778
7.0.782
7.0.79
7.0.791
7.0.796
7.0.797
7.0.8
7.0.804
7.0.81
7.0.810
7.0.813
7.0.814
7.0.817
7.0.818
7.0.82
7.0.823
7.0.834
7.0.835
7.0.838
7.0.841
7.0.844
7.0.85
7.0.859
7.0.86
7.0.865
7.0.89
7.0.890
7.0.892
7.0.894
7.0.90
7.0.905
7.0.907
7.0.911
7.0.912
7.0.918
7.0.927
7.0.929
7.0.931
7.0.943
7.0.944
7.0.948
7.0.949
7.0.953
7.0.954
7.0.955
7.0.959
7.0.961
7.0.965
7.0.966
7.0.972
7.0.973
7.0.977
7.0.979
7.0.98
7.0.984
8.*
8.0.5124
8.0.5125
8.0.5129
8.0.5151
8.0.5159
8.0.5163
8.0.5167
8.0.5174
8.0.5181
8.0.5185
8.0.5199
8.0.5209
8.0.5219
8.0.5220
8.0.5237
8.0.5239
8.0.5312
8.0.5341
8.0.5353
8.0.5355
8.0.5358
8.0.5359
8.0.5362
8.0.5403
8.0.5409
8.0.5416
8.0.5438
8.0.5440
8.0.5466
8.0.5469
8.0.5489
8.0.5496
8.0.5516
8.0.5567
8.0.5570
8.0.5571
8.0.5572
8.0.5574
8.0.5579
8.0.5580
8.0.5584
9.*
9.0.5598
9.1.0
9.1.1
9.1.2
9.1.3
9.2.10
9.2.11
9.2.12
9.2.4
9.2.7
9.2.8
9.2.9
9.3.0
9.3.11
9.3.13
9.3.14
9.3.15
9.3.16
9.3.19
9.3.2
9.3.22
9.3.3
9.3.4
9.3.6
9.3.7
9.3.8
9.4.0
9.4.1
9.4.11
9.4.13
9.4.2
9.4.3
9.5.0
9.5.13
9.5.2
9.5.3
9.5.8
v4.*
v4.0.0
v4.0.1
v4.0.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33396.json"