CVE-2026-33396

CVE-2026-33396 is a high-severity vulnerability in OneUptime, an open-source monitoring and observability platform, affecting versions prior to 10.0.35. It stems from an incomplete sandbox in the Synthetic Monitor Playwright script execution feature, where user-supplied code runs in VMRunner.runCodeInNodeVM alongside a live Playwright page object. The sandbox uses a denylist of blocked properties and methods, but fails to block _browserType and launchServer, enabling traversal via page.context().browser()._browserType.launchServer(...) to spawn arbitrary processes and achieve remote command execution (RCE) on the Probe container or host. The issue is classified under CWE-78 (OS Command Injection), CWE-184 (Incomplete List of Disallowed Inputs), and CWE-693 (Protection Mechanism Failure), with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A low-privileged authenticated user with ProjectMember role can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting malicious Synthetic Monitor scripts, the attacker bypasses the sandbox to execute arbitrary commands on the affected Probe container or host, potentially leading to full compromise including high confidentiality, integrity, and availability impacts due to the high scope change.

The GitHub security advisory (GHSA-cqpg-phpp-9jjg) and associated patch commit detail mitigation via version 10.0.35, which addresses the incomplete denylist in the Playwright sandbox to prevent the traversal and command execution. Security practitioners should upgrade to 10.0.35 or later and review access to ProjectMember roles in Synthetic Monitor configurations.