Hackerbay

Oneuptime

23 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2026-35053

Exploit
  • EPSS 0.12%
  • Veröffentlicht 02.04.2026 18:55:49
  • Zuletzt bearbeitet 13.04.2026 18:46:50

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without ...

8.1

CVE-2026-34840

Exploit
  • EPSS 0.03%
  • Veröffentlicht 02.04.2026 18:52:48
  • Zuletzt bearbeitet 13.04.2026 18:46:00

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() v...

8.1

CVE-2026-34759

Exploit
  • EPSS 0.11%
  • Veröffentlicht 02.04.2026 18:50:55
  • Zuletzt bearbeitet 13.04.2026 18:45:18

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAu...

9.1

CVE-2026-34758

Exploit
  • EPSS 0.04%
  • Veröffentlicht 02.04.2026 18:49:29
  • Zuletzt bearbeitet 03.04.2026 19:52:26

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue ...

9.9

CVE-2026-33396

Exploit
  • EPSS 0.84%
  • Veröffentlicht 26.03.2026 13:40:12
  • Zuletzt bearbeitet 26.03.2026 20:40:52

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright ...

8.1

CVE-2026-33142

  • EPSS 0.03%
  • Veröffentlicht 20.03.2026 20:05:19
  • Zuletzt bearbeitet 23.03.2026 20:34:10

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not ap...

7.5

CVE-2026-33143

Exploit
  • EPSS 0.03%
  • Veröffentlicht 20.03.2026 20:05:13
  • Zuletzt bearbeitet 23.03.2026 20:48:27

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signat...

6.5

CVE-2026-32598

Exploit
  • EPSS 0.03%
  • Veröffentlicht 12.03.2026 21:31:12
  • Zuletzt bearbeitet 17.03.2026 20:06:09

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production....

7.6

CVE-2026-32308

Exploit
  • EPSS 0.04%
  • Veröffentlicht 12.03.2026 21:29:00
  • Zuletzt bearbeitet 17.03.2026 20:08:07

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows i...

9.9

CVE-2026-32306

Exploit
  • EPSS 0.4%
  • Veröffentlicht 12.03.2026 21:27:51
  • Zuletzt bearbeitet 17.03.2026 20:08:56

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them dir...