CVE-2026-30887
Published: 10 March 2026
Summary
CVE-2026-30887 is a critical-severity Code Injection (CWE-94) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires controls on the execution of untrusted mobile code such as user-supplied Playwright/JavaScript in Synthetic Monitors to prevent sandbox bypass and RCE.
Mandates process isolation to block prototype-chain escapes from user code environments accessing the underlying Node.js process and enabling arbitrary command execution.
Ensures timely remediation of flaws like the insecure Node.js vm module sandbox escape fixed in version 10.0.18.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape in Node.js vm via attacker-supplied JS directly enables arbitrary code execution (T1059.007); low-priv project member to container RCE and cluster compromise is classic exploitation for privilege escalation (T1068); post-RCE extraction of DB/cluster creds from process.env matches unsecured credentials (T1552).
NVD Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js…
more
vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.
Deeper analysisAI
CVE-2026-30887 is a critical vulnerability in OneUptime, an open-source solution for monitoring and managing online services, affecting versions prior to 10.0.18. The issue lies in the Synthetic Monitors feature, which permits project members to execute custom Playwright/JavaScript code for website testing. This untrusted code runs within the insecure Node.js vm module, allowing attackers to perform a prototype-chain escape, such as via this.constructor.constructor, to bypass the sandbox and access the underlying Node.js process object.
Project members with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving remote code execution (RCE) on the oneuptime-probe container and escalating to a complete cluster compromise. The probe container holds database and cluster credentials in environment variables, enabling attackers to extract these secrets post-exploitation. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-94 (improper control of generation of code).
OneUptime addressed this vulnerability in version 10.0.18. The GitHub Security Advisory at GHSA-h343-gg57-2q67 provides details on the fix and recommends upgrading to the patched version to mitigate the sandbox escape and RCE risks.
Details
- CWE(s)