{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-30887","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-06T00:04:56.700Z","datePublished":"2026-03-09T22:40:04.425Z","dateUpdated":"2026-03-10T14:00:44.197Z"},"containers":{"cna":{"title":"OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE","problemTypes":[{"descriptions":[{"cweId":"CWE-94","lang":"en","description":"CWE-94: Improper Control of Generation of Code ('Code Injection')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67","tags":["x_refsource_CONFIRM"],"url":"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67"}],"affected":[{"vendor":"OneUptime","product":"oneuptime","versions":[{"version":"< 10.0.18","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-03-09T22:40:04.425Z"},"descriptions":[{"lang":"en","value":"OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18."}],"source":{"advisory":"GHSA-h343-gg57-2q67","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-10T14:00:41.087768Z","id":"CVE-2026-30887","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-10T14:00:44.197Z"}}]}}