CVE-2026-32306 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: March 13, 2026
OneUptime - SQL Injection
Overview
OneUptime < 10.0.23 contains a SQL injection caused by unsanitized user-controlled parameters in telemetry aggregation API, letting authenticated users execute arbitrary SQL including data read, modification, and potential remote code execution.
Severity & Score
Impact
Authenticated users can execute arbitrary SQL, read and modify all tenant telemetry data, and potentially execute remote code on the database server.
Mitigation
Update to version 10.0.23 or later.
Social Media Activity(2 posts)
š“ CVE-2026-32306 - Critical (9.9) OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them ... š https://www.thehackerwire.com/vulnerability/CVE-2026-32306/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-32306 - Critical (9.9) OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them ... š https://www.thehackerwire.com/vulnerability/CVE-2026-32306/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-32306
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- sql_injection
- Status
- new
- EPSS
- 22.9%
- Social Posts
- 2
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H