CVE-2026-30957

CVE-2026-30957 is a server-side remote code execution vulnerability in OneUptime, an open-source solution for monitoring and managing online services. It affects the Synthetic Monitors component prior to version 10.0.21, specifically within the oneuptime-probe server or container. The root cause lies in the execution of untrusted Synthetic Monitor code inside Node.js's vm module, where live host-realm Playwright browser and page objects are exposed to the untrusted context. This exposure, rated at CVSS 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and mapped to CWE-749 (Exposed Dangerous Method or Function), allows attackers to invoke Playwright APIs without requiring a separate VM sandbox escape.

A low-privileged authenticated project user can exploit this vulnerability remotely over the network with low complexity and no user interaction. By injecting malicious code into a Synthetic Monitor, the attacker calls Playwright APIs on the exposed browser object, causing the oneuptime-probe server/container to spawn an attacker-controlled executable. Successful exploitation grants full arbitrary command execution on the probe host, enabling complete compromise including high confidentiality, integrity, and availability impacts due to the changed scope.

The vulnerability is fixed in OneUptime version 10.0.21. Official mitigation details are available in the GitHub release notes at https://github.com/OneUptime/oneuptime/releases/tag/10.0.21 and the security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q, which practitioners should consult for upgrade instructions and any additional hardening recommendations.