Cyber Resilience

CVE-2026-32308

HighPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0005 17.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32308 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-32308 is a cross-site scripting (XSS) vulnerability (CWE-79) in OneUptime, an open-source solution for monitoring and managing online services. In versions prior to 10.0.23, the Markdown viewer component processes Mermaid diagrams using a securityLevel set to "loose," which permits interactive event bindings. The resulting SVG output is injected into the page via innerHTML, allowing attackers to leverage Mermaid's click directive to execute arbitrary JavaScript. This affects any user-input fields that render Markdown content, such as incident descriptions, status page announcements, and monitor notes. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by injecting a malicious Mermaid diagram into a vulnerable Markdown field. The attack requires low complexity (AC:L) and user interaction (UI:R), such as a victim clicking on the rendered diagram, which triggers the click directive to execute JavaScript in the context of the application (S:C). Successful exploitation enables high-impact confidentiality violations (C:H), such as stealing session cookies, tokens, or sensitive data viewed by the victim, with low integrity impact (I:L) and no availability disruption (A:N).

The OneUptime security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh details the issue and confirms the fix in version 10.0.23, which addresses the insecure Mermaid rendering configuration. Security practitioners should upgrade to 10.0.23 or later and review any custom Markdown rendering implementations for similar misconfigurations involving SVG injection or loose security policies in diagramming libraries.

EU & UK References

Vulnerability details

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams,…

more

enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

XSS vuln in public-facing Markdown/Mermaid renderer directly enables T1190 (exploit of web app), T1059.007 (arbitrary JS execution via click directive), and T1539 (session cookie/token theft as described impact).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35053Same product: Hackerbay Oneuptime
CVE-2026-27574Same product: Hackerbay Oneuptime
CVE-2026-30921Same product: Hackerbay Oneuptime
CVE-2026-33142Same product: Hackerbay Oneuptime
CVE-2026-34840Same product: Hackerbay Oneuptime
CVE-2026-34759Same product: Hackerbay Oneuptime
CVE-2026-27728Same product: Hackerbay Oneuptime
CVE-2026-28787Same product: Hackerbay Oneuptime
CVE-2026-30958Same product: Hackerbay Oneuptime
CVE-2026-33143Same product: Hackerbay Oneuptime

Affected Assets

hackerbay
oneuptime
≤ 10.0.23

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Filters output from Markdown rendering of Mermaid diagrams to block executable JavaScript in SVG via XSS.

prevent

Validates user-supplied Markdown inputs to reject malicious Mermaid click directives before processing.

prevent

Ensures timely patching of OneUptime to version 10.0.23 or later to remediate the insecure Mermaid rendering flaw.

References