Cyber Posture

CVE-2026-27728

CriticalPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0040 60.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters…

more

into a monitor's destination field. Version 10.0.7 fixes the vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of the monitor's destination field inputs to block shell metacharacters and prevent OS command injection.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the identified flaw by upgrading to version 10.0.7, which implements input sanitization.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on the Probe server processes to limit the scope and impact of any successfully injected commands.

Security SummaryAI

CVE-2026-27728 is an OS command injection vulnerability (CWE-78) in OneUptime, an open-source solution for monitoring and managing online services. The flaw affects versions prior to 10.0.7 and exists in the `NetworkPathMonitor.performTraceroute()` function, where insufficient input validation allows shell metacharacters injected into a monitor's destination field to execute arbitrary operating system commands on the Probe server. Published on 2026-02-25, it carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and potential for high-impact privilege escalation across scope.

Any authenticated project user can exploit this vulnerability remotely without user interaction by crafting a malicious destination field in a monitor configuration. Exploitation grants arbitrary command execution on the Probe server, enabling full system compromise, data exfiltration, persistence, or further lateral movement, with severe consequences for confidentiality, integrity, and availability in environments relying on OneUptime for service monitoring.

OneUptime version 10.0.7 addresses the vulnerability through input sanitization or validation fixes. Security practitioners should upgrade immediately and review the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jmhp-5558-qxh5 and the patching commit at https://github.com/OneUptime/oneuptime/commit/f2cce35a04fac756cecc7a4c55e23758b99288c1 for implementation details.

Details

CWE(s)
CWE-78

Affected Products

hackerbay
oneuptime
≤ 10.0.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE enables remote exploitation of a public-facing monitoring application (T1190) via OS command injection in the traceroute function, directly facilitating arbitrary Unix shell command execution (T1059.004) through insufficient input validation on shell metacharacters.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References