CVE-2026-32308 in oneuptime
Summary
by MITRE • 03/13/2026
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-32308 affects OneUptime monitoring solution versions prior to 10.0.23, specifically targeting its Markdown viewer component that processes Mermaid diagrams. This flaw represents a critical cross-site scripting vulnerability that arises from insecure rendering practices within the application's documentation and reporting features. The vulnerability stems from the Markdown viewer's configuration that explicitly sets securityLevel to "loose" when rendering Mermaid diagrams, which fundamentally undermines the security posture of the entire monitoring platform. The implementation allows for interactive event bindings within diagrams that can be exploited to execute malicious JavaScript code through Mermaid's click directive functionality.
The technical exploitation of this vulnerability occurs through the injection of malicious Mermaid diagrams containing click directives that trigger arbitrary JavaScript execution when rendered within the application's interface. The securityLevel parameter in Mermaid.js controls how strictly the rendering engine enforces security restrictions, with "loose" configuration permitting interactive elements that can be manipulated by attackers to execute code within the context of the user's browser session. This configuration choice creates an attack surface where any field that accepts markdown input becomes a potential vector for exploitation, including incident descriptions, status page announcements, and monitor notes. The vulnerability is particularly concerning because it leverages legitimate application features to deliver malicious payloads, making detection and prevention more challenging.
The operational impact of this vulnerability extends beyond simple code execution, as successful exploitation could enable attackers to perform actions such as stealing user sessions, accessing sensitive monitoring data, modifying system configurations, or even escalating privileges within the monitoring environment. Since the vulnerable fields are commonly used for operational communications and incident reporting, attackers could potentially compromise the integrity of critical system information or manipulate status page content to mislead users about system health. The vulnerability affects the core functionality of OneUptime's monitoring capabilities, potentially allowing attackers to gain unauthorized access to monitoring data, service status information, and operational details that are crucial for system administration and incident response activities. This creates a significant risk for organizations relying on the platform for critical infrastructure monitoring and management.
Organizations should immediately upgrade to version 10.0.23 or later to remediate this vulnerability, as the fix addresses the root cause by properly configuring the Mermaid rendering engine with appropriate security restrictions. System administrators should also implement additional monitoring of markdown input fields to detect potential exploitation attempts and consider implementing content security policies that restrict script execution within the application's rendering contexts. The vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and represents a specific implementation of the broader category of insecure direct object references that can lead to privilege escalation and data compromise. From an ATT&CK framework perspective, this vulnerability maps to T1566 (Phishing) and T1059 (Command and Scripting Interpreter) techniques, as attackers could use it to deliver malicious payloads through seemingly legitimate monitoring communications while executing code within the victim's browser session.