CVE-2026-30957 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: March 11, 2026
OneUptime - Remote Code Execution
Overview
OneUptime < 10.0.21 contains a server-side remote code execution caused by execution of untrusted Synthetic Monitor code in Node's vm exposing Playwright browser objects, letting low-privileged authenticated users execute arbitrary commands on the probe server.
Severity & Score
Impact
Low-privileged authenticated users can execute arbitrary commands on the probe server, leading to full server compromise.
Mitigation
Upgrade to version 10.0.21 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-30957 - Critical (9.9) OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root c... š https://www.thehackerwire.com/vulnerability/CVE-2026-30957/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš“ CVE-2026-30957 - Critical (9.9) OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root c... š https://www.thehackerwire.com/vulnerability/CVE-2026-30957/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-30957
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- remote_code_execution
- Status
- unconfirmed
- EPSS
- 27.0%
- Social Posts
- 2
CWE
- CWE-749
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H