CVE-2026-32308
Published: 13 March 2026
Summary
CVE-2026-32308 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS vuln in public-facing Markdown/Mermaid renderer directly enables T1190 (exploit of web app), T1059.007 (arbitrary JS execution via click directive), and T1539 (session cookie/token theft as described impact).
NVD Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams,…
more
enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.
Deeper analysisAI
CVE-2026-32308 is a cross-site scripting (XSS) vulnerability (CWE-79) in OneUptime, an open-source solution for monitoring and managing online services. In versions prior to 10.0.23, the Markdown viewer component processes Mermaid diagrams using a securityLevel set to "loose," which permits interactive event bindings. The resulting SVG output is injected into the page via innerHTML, allowing attackers to leverage Mermaid's click directive to execute arbitrary JavaScript. This affects any user-input fields that render Markdown content, such as incident descriptions, status page announcements, and monitor notes. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by injecting a malicious Mermaid diagram into a vulnerable Markdown field. The attack requires low complexity (AC:L) and user interaction (UI:R), such as a victim clicking on the rendered diagram, which triggers the click directive to execute JavaScript in the context of the application (S:C). Successful exploitation enables high-impact confidentiality violations (C:H), such as stealing session cookies, tokens, or sensitive data viewed by the victim, with low integrity impact (I:L) and no availability disruption (A:N).
The OneUptime security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh details the issue and confirms the fix in version 10.0.23, which addresses the insecure Mermaid rendering configuration. Security practitioners should upgrade to 10.0.23 or later and review any custom Markdown rendering implementations for similar misconfigurations involving SVG injection or loose security policies in diagramming libraries.
Details
- CWE(s)