CVE-2026-33396

Exploit

EPSS 0.83%
Veröffentlicht 26.03.2026 13:40:12
Zuletzt bearbeitet 26.03.2026 20:40:52
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are not blocked, so attacker code can traverse `page.context().browser()._browserType.launchServer(...)` and spawn arbitrary processes. Version 10.0.35 contains a patch.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hackerbay ≫ Oneuptime Version < 10.0.35

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.83%	0.528

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

CWE-693 Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg

Vendor Advisory

Exploit

https://github.com/OneUptime/oneuptime/commit/e8e4ee3ff0740eb131045ab3d67453141c46178a

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-33396

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33396

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33396

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33396