Cyber Resilience

CVE-2026-30957

CriticalPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0115 62.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30957 is a critical-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-18 (Mobile Code).

Deeper analysis

CVE-2026-30957 is a server-side remote code execution vulnerability in OneUptime, an open-source solution for monitoring and managing online services. It affects the Synthetic Monitors component prior to version 10.0.21, specifically within the oneuptime-probe server or container. The root cause lies in the execution of untrusted Synthetic Monitor code inside Node.js's vm module, where live host-realm Playwright browser and page objects are exposed to the untrusted context. This exposure, rated at CVSS 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and mapped to CWE-749 (Exposed Dangerous Method or Function), allows attackers to invoke Playwright APIs without requiring a separate VM sandbox escape.

A low-privileged authenticated project user can exploit this vulnerability remotely over the network with low complexity and no user interaction. By injecting malicious code into a Synthetic Monitor, the attacker calls Playwright APIs on the exposed browser object, causing the oneuptime-probe server/container to spawn an attacker-controlled executable. Successful exploitation grants full arbitrary command execution on the probe host, enabling complete compromise including high confidentiality, integrity, and availability impacts due to the changed scope.

The vulnerability is fixed in OneUptime version 10.0.21. Official mitigation details are available in the GitHub release notes at https://github.com/OneUptime/oneuptime/releases/tag/10.0.21 and the security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q, which practitioners should consult for upgrade instructions and any additional hardening recommendations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is…

more

executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability enables low-privileged remote users to achieve arbitrary remote code execution on the probe server/container via injected malicious code exploiting exposed Playwright APIs, directly facilitating Exploitation for Privilege Escalation (T1068) and Exploitation of Remote Services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30921Same product: Hackerbay Oneuptime
CVE-2026-33396Same product: Hackerbay Oneuptime
CVE-2026-30887Same product: Hackerbay Oneuptime
CVE-2026-27574Same product: Hackerbay Oneuptime
CVE-2026-30956Same product: Hackerbay Oneuptime
CVE-2026-28787Same product: Hackerbay Oneuptime
CVE-2026-33142Same product: Hackerbay Oneuptime
CVE-2026-33143Same product: Hackerbay Oneuptime
CVE-2026-35053Same product: Hackerbay Oneuptime
CVE-2026-32306Same product: Hackerbay Oneuptime

Affected Assets

hackerbay
oneuptime
≤ 10.0.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates execution of untrusted Synthetic Monitor code by requiring isolation in virtual machines, checks, or restrictions to prevent exposure of host-realm Playwright browser objects.

prevent

Enforces process isolation to separate untrusted code execution in Node's vm from host objects, blocking access to Playwright APIs that enable spawning attacker-controlled executables.

prevent

Limits the probe server's execution environment to least functionality by prohibiting unnecessary capabilities like Playwright browser object exposure to untrusted code.

References