LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-32306

CVE-2026-32306 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: March 16, 2026

OneUptime - SQL Injection

Published: March 13, 2026Updated: March 16, 2026Remote Exploitable

Overview

OneUptime < 10.0.23 contains a SQL injection caused by unsanitized user-controlled parameters in telemetry aggregation API, letting authenticated users execute arbitrary SQL including data read, modification, and potential remote code execution.

Severity & Score

Severity: Critical
CVSS Score: 9.9
EPSS Score: 39.5%(Probability of exploitation in next 30 days)

Impact

Authenticated users can execute arbitrary SQL, read and modify all tenant telemetry data, and potentially execute remote code on the database server.

Mitigation

Update to version 10.0.23 or later.

References

Social Media Activity(1 post)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 20, 2026

šŸŸ  CVE-2026-33142 - High (8.1) OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33142/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-32306
Severity
Critical
CVSS Score
9.9
Type
sql_injection
Status
unconfirmed
EPSS
39.5%
Social Posts
1

CWE

  • CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

39.5%Probability of exploitation in the next 30 days