CVE-2026-30957
Published: 10 March 2026
Summary
CVE-2026-30957 is a critical-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-18 (Mobile Code).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates execution of untrusted Synthetic Monitor code by requiring isolation in virtual machines, checks, or restrictions to prevent exposure of host-realm Playwright browser objects.
Enforces process isolation to separate untrusted code execution in Node's vm from host objects, blocking access to Playwright APIs that enable spawning attacker-controlled executables.
Limits the probe server's execution environment to least functionality by prohibiting unnecessary capabilities like Playwright browser object exposure to untrusted code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables low-privileged remote users to achieve arbitrary remote code execution on the probe server/container via injected malicious code exploiting exposed Playwright APIs, directly facilitating Exploitation for Privilege Escalation (T1068) and Exploitation of Remote Services (T1210).
NVD Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is…
more
executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
Deeper analysisAI
CVE-2026-30957 is a server-side remote code execution vulnerability in OneUptime, an open-source solution for monitoring and managing online services. It affects the Synthetic Monitors component prior to version 10.0.21, specifically within the oneuptime-probe server or container. The root cause lies in the execution of untrusted Synthetic Monitor code inside Node.js's vm module, where live host-realm Playwright browser and page objects are exposed to the untrusted context. This exposure, rated at CVSS 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and mapped to CWE-749 (Exposed Dangerous Method or Function), allows attackers to invoke Playwright APIs without requiring a separate VM sandbox escape.
A low-privileged authenticated project user can exploit this vulnerability remotely over the network with low complexity and no user interaction. By injecting malicious code into a Synthetic Monitor, the attacker calls Playwright APIs on the exposed browser object, causing the oneuptime-probe server/container to spawn an attacker-controlled executable. Successful exploitation grants full arbitrary command execution on the probe host, enabling complete compromise including high confidentiality, integrity, and availability impacts due to the changed scope.
The vulnerability is fixed in OneUptime version 10.0.21. Official mitigation details are available in the GitHub release notes at https://github.com/OneUptime/oneuptime/releases/tag/10.0.21 and the security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q, which practitioners should consult for upgrade instructions and any additional hardening recommendations.
Details
- CWE(s)