CVE-2026-30921 (GCVE-0-2026-30921)
Vulnerability from cvelistv5 – Published: 2026-03-09 22:58 – Updated: 2026-03-10 14:13
VLAI?
Title
OneUptime Synthetic Monitor RCE via exposed Playwright browser object
Summary
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.
Severity ?
10 (Critical)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30921",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:13:48.408035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T14:13:54.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "oneuptime",
"vendor": "OneUptime",
"versions": [
{
"status": "affected",
"version": "\u003c 10.0.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node\u0027s vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T22:58:58.618Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8"
}
],
"source": {
"advisory": "GHSA-4j36-39gm-8vq8",
"discovery": "UNKNOWN"
},
"title": "OneUptime Synthetic Monitor RCE via exposed Playwright browser object"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30921",
"datePublished": "2026-03-09T22:58:58.618Z",
"dateReserved": "2026-03-07T16:40:05.884Z",
"dateUpdated": "2026-03-10T14:13:54.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-30921\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T17:40:16.160\",\"lastModified\":\"2026-03-12T13:44:49.127\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node\u0027s vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.\"},{\"lang\":\"es\",\"value\":\"OneUptime es una soluci\u00f3n para monitorear y gestionar servicios en l\u00ednea. Antes de la versi\u00f3n 10.0.20, los Monitores Sint\u00e9ticos de OneUptime permiten a usuarios de proyecto con bajos privilegios enviar c\u00f3digo Playwright personalizado que se ejecuta en el servicio oneuptime-probe. En la implementaci\u00f3n actual, este c\u00f3digo no confiable se ejecuta dentro de la vm de Node y se le otorgan objetos Playwright de host en vivo como navegador y p\u00e1gina. Esto crea una primitiva RCE del lado del servidor distinta: el atacante no necesita el cl\u00e1sico escape de sandbox this.constructor.constructor(...). En su lugar, el atacante puede usar directamente el objeto navegador de Playwright inyectado para alcanzar browser.browserType().launch(...) y generar un ejecutable arbitrario en el host/contenedor de la sonda. Esta vulnerabilidad se corrige en la versi\u00f3n 10.0.20.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-749\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.0.20\",\"matchCriteriaId\":\"47A8362E-263D-46E0-8339-83F9AFDC973D\"}]}]}],\"references\":[{\"url\":\"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30921\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-10T14:13:48.408035Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-10T14:12:13.746Z\"}}], \"cna\": {\"title\": \"OneUptime Synthetic Monitor RCE via exposed Playwright browser object\", \"source\": {\"advisory\": \"GHSA-4j36-39gm-8vq8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"OneUptime\", \"product\": \"oneuptime\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 10.0.20\"}]}], \"references\": [{\"url\": \"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8\", \"name\": \"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node\u0027s vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-749\", \"description\": \"CWE-749: Exposed Dangerous Method or Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-09T22:58:58.618Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-30921\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T14:13:54.890Z\", \"dateReserved\": \"2026-03-07T16:40:05.884Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-09T22:58:58.618Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-4J36-39GM-8VQ8
Vulnerability from github – Published: 2026-03-07 02:39 – Updated: 2026-03-10 18:44
VLAI?
Summary
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
Details
Summary
OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page.
This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container.
This appears to be a separate issue from the previously published node:vm(GHSA-h343-gg57-2q67) breakout advisory because the root cause here is exposure of a dangerous host capability object to untrusted code, not prototype-chain access to process.
Details
A normal project member can create or edit monitors and monitor tests:
- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/Monitor.ts#L45-L78
- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/MonitorTest.ts#L27-L60
The dashboard exposes a Playwright code editor for Synthetic Monitors and allows the user to queue a test run:
- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorStep.tsx#L861-L918
- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorTest.tsx#L66-L84
The probe worker polls queued monitor tests and executes them:
- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchMonitorTest.ts#L55-L85
For MonitorType.SyntheticMonitor, the user-controlled customCode is passed into SyntheticMonitor.execute(...):
- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/Monitor.ts#L323-L338
SyntheticMonitor.execute(...) then runs that code through VMRunner.runCodeInNodeVM(...) and injects the live Playwright browser and page objects into the VM context:
- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/MonitorTypes/SyntheticMonitor.ts#L156-L168
VMRunner.runCodeInNodeVM(...) creates a Node vm context and exposes host objects into it, including the additional context objects:
- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Server/Utils/VM/VMRunner.ts#L323-L405
The proxy wrapper blocks only a small set of property names and still forwards normal method calls with the real host this binding. Because of that, untrusted monitor code can still use legitimate Playwright methods on the injected browser object.
That is enough for code execution because Playwright's Browser exposes browserType(), and BrowserType.launch() accepts attacker-controlled process launch options such as executablePath, args, and ignoreDefaultArgs. An attacker can therefore cause the probe to spawn an arbitrary executable. Even if Playwright later errors because the spawned process is not a real browser, the command has already executed.
This same execution path is also used for normal scheduled monitors, not only one-shot monitor tests:
- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchList.ts#L110-L121
As a result, the issue can be abused either as a one-shot RCE via Test Monitor or as a persistent scheduled RCE by saving a malicious Synthetic Monitor.
PoC
- Log in as any user with normal project membership.
- Go to
Monitors -> Create New Monitor. - Select
Synthetic Monitor. - In
Playwright Code, paste the following script:
const HostFunction =
Object.getOwnPropertyDescriptor(console, "log").value.constructor;
return {
data: {
node: HostFunction('return process.version')(),
cwd: HostFunction('return process.cwd()')(),
id: HostFunction(
'return process.getBuiltinModule("child_process").execSync("id").toString()'
)(),
},
};
- Select any one browser type, for example
Chromium. - Select any one screen type, for example
Desktop. - Set retry count to
0. - Click
Test Monitorand choose a probe.
Expected result:
- the monitor execution succeeded and in the
Show More Detailsthe command output is shown.
Impact
This is a server-side Remote Code Execution issue affecting the probe component.
Who is impacted:
- any OneUptime deployment where an attacker can obtain ordinary project membership
- environments where the probe has access to internal services, secrets, Kubernetes metadata, database credentials, proxy credentials, or other cluster-local trust relationships
Severity ?
9.9 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@oneuptime/common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.0.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30921"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-07T02:39:04Z",
"nvd_published_at": "2026-03-10T17:40:16Z",
"severity": "CRITICAL"
},
"details": "Summary\n\nOneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the `oneuptime-probe` service. In the current implementation, this untrusted code is run inside Node\u0027s `vm` and is given live host Playwright objects such as `browser` and `page`.\n\nThis creates a distinct server-side RCE primitive: the attacker does not need the classic `this.constructor.constructor(...)` sandbox escape. Instead, the attacker can directly use the injected Playwright `browser` object to reach `browser.browserType().launch(...)` and spawn an arbitrary executable on the probe host/container.\n\nThis appears to be a separate issue from the previously published `node:vm(GHSA-h343-gg57-2q67)` breakout advisory because the root cause here is exposure of a dangerous host capability object to untrusted code, not prototype-chain access to `process`.\n\n## Details\n\nA normal project member can create or edit monitors and monitor tests:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/Monitor.ts#L45-L78\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/MonitorTest.ts#L27-L60\n\nThe dashboard exposes a Playwright code editor for Synthetic Monitors and allows the user to queue a test run:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorStep.tsx#L861-L918\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorTest.tsx#L66-L84\n\nThe probe worker polls queued monitor tests and executes them:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchMonitorTest.ts#L55-L85\n\nFor `MonitorType.SyntheticMonitor`, the user-controlled `customCode` is passed into `SyntheticMonitor.execute(...)`:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/Monitor.ts#L323-L338\n\n`SyntheticMonitor.execute(...)` then runs that code through `VMRunner.runCodeInNodeVM(...)` and injects the live Playwright `browser` and `page` objects into the VM context:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/MonitorTypes/SyntheticMonitor.ts#L156-L168\n\n`VMRunner.runCodeInNodeVM(...)` creates a Node `vm` context and exposes host objects into it, including the additional context objects:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Server/Utils/VM/VMRunner.ts#L323-L405\n\nThe proxy wrapper blocks only a small set of property names and still forwards normal method calls with the real host `this` binding. Because of that, untrusted monitor code can still use legitimate Playwright methods on the injected `browser` object.\n\nThat is enough for code execution because Playwright\u0027s `Browser` exposes `browserType()`, and `BrowserType.launch()` accepts attacker-controlled process launch options such as `executablePath`, `args`, and `ignoreDefaultArgs`. An attacker can therefore cause the probe to spawn an arbitrary executable. Even if Playwright later errors because the spawned process is not a real browser, the command has already executed.\n\nThis same execution path is also used for normal scheduled monitors, not only one-shot monitor tests:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchList.ts#L110-L121\n\nAs a result, the issue can be abused either as a one-shot RCE via `Test Monitor` or as a persistent scheduled RCE by saving a malicious Synthetic Monitor.\n\n### PoC\n\n1. Log in as any user with normal project membership.\n2. Go to `Monitors -\u003e Create New Monitor`.\n3. Select `Synthetic Monitor`.\n4. In `Playwright Code`, paste the following script:\n\n```javascript\n const HostFunction =\n Object.getOwnPropertyDescriptor(console, \"log\").value.constructor;\n\n return {\n data: {\n node: HostFunction(\u0027return process.version\u0027)(),\n cwd: HostFunction(\u0027return process.cwd()\u0027)(),\n id: HostFunction(\n \u0027return process.getBuiltinModule(\"child_process\").execSync(\"id\").toString()\u0027\n )(),\n },\n };\n\n```\n\n5. Select any one browser type, for example `Chromium`.\n6. Select any one screen type, for example `Desktop`.\n7. Set retry count to `0`.\n8. Click `Test Monitor` and choose a probe.\n\nExpected result:\n\n- the monitor execution succeeded and in the `Show More Details` the command output is shown.\n\u003cimg width=\"899\" height=\"249\" alt=\"image\" src=\"https://github.com/user-attachments/assets/98ebd26f-431b-438e-9459-7deeebf97b18\" /\u003e\n\n\n\n### Impact\n\nThis is a server-side `Remote Code Execution` issue affecting the probe component.\n\nWho is impacted:\n\n- any OneUptime deployment where an attacker can obtain ordinary project membership\n- environments where the probe has access to internal services, secrets, Kubernetes metadata, database credentials, proxy credentials, or other cluster-local trust relationships",
"id": "GHSA-4j36-39gm-8vq8",
"modified": "2026-03-10T18:44:23Z",
"published": "2026-03-07T02:39:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30921"
},
{
"type": "PACKAGE",
"url": "https://github.com/OneUptime/oneuptime"
},
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorStep.tsx#L861-L918"
},
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorTest.tsx#L66-L84"
},
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/Monitor.ts#L45-L78"
},
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/MonitorTest.ts#L27-L60"
},
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Server/Utils/VM/VMRunner.ts#L323-L405"
},
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchList.ts#L110-L121"
},
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchMonitorTest.ts#L55-L85"
},
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/Monitor.ts#L323-L338"
},
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/MonitorTypes/SyntheticMonitor.ts#L156-L168"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OneUptime: Synthetic Monitor RCE via exposed Playwright browser object"
}
FKIE_CVE-2026-30921
Vulnerability from fkie_nvd - Published: 2026-03-10 17:40 - Updated: 2026-03-12 13:44
Severity ?
Summary
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8 | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "47A8362E-263D-46E0-8339-83F9AFDC973D",
"versionEndExcluding": "10.0.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node\u0027s vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20."
},
{
"lang": "es",
"value": "OneUptime es una soluci\u00f3n para monitorear y gestionar servicios en l\u00ednea. Antes de la versi\u00f3n 10.0.20, los Monitores Sint\u00e9ticos de OneUptime permiten a usuarios de proyecto con bajos privilegios enviar c\u00f3digo Playwright personalizado que se ejecuta en el servicio oneuptime-probe. En la implementaci\u00f3n actual, este c\u00f3digo no confiable se ejecuta dentro de la vm de Node y se le otorgan objetos Playwright de host en vivo como navegador y p\u00e1gina. Esto crea una primitiva RCE del lado del servidor distinta: el atacante no necesita el cl\u00e1sico escape de sandbox this.constructor.constructor(...). En su lugar, el atacante puede usar directamente el objeto navegador de Playwright inyectado para alcanzar browser.browserType().launch(...) y generar un ejecutable arbitrario en el host/contenedor de la sonda. Esta vulnerabilidad se corrige en la versi\u00f3n 10.0.20."
}
],
"id": "CVE-2026-30921",
"lastModified": "2026-03-12T13:44:49.127",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-10T17:40:16.160",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-749"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…