CVE-2026-33396 in OneUptimeinformação

Sumário

de MITRE • 26/03/2026

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are not blocked, so attacker code can traverse `page.context().browser()._browserType.launchServer(...)` and spawn arbitrary processes. Version 10.0.35 contains a patch.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsável

GitHub M

Reservar

19/03/2026

Divulgação

26/03/2026

Moderação

aceite

Entrada

VDB-353612

CPE

pronto

CWE

CWE-78 (confirmado)

CVSS

9.9 (CNA)

EPSS

0.01126

KEV

não

Atividades

muito baixo

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-33396
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-33396
CVE Details	https://www.cvedetails.com/cve/CVE-2026-33396/

◂ Voltar Visão Geral Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!