CVE-2026-27728

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.7

Description OneUptime is a solution for monitoring and managing online services. A critical OS command injection vulnerability exists in the NetworkPathMonitor.performTraceroute() function. This flaw allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field. The vulnerability stems from the direct interpolation of the user-controlled destination parameter into a shell command string, which is then executed using child process.exec(). The destination parameter is not sanitized before being used in the command, allowing for the injection of malicious shell metacharacters such as semicolons, pipes, and subshells. Successful exploitation could lead to remote code execution, allowing attackers to read sensitive files, pivot to internal services, compromise monitoring data, and establish persistent backdoors. The vulnerability is present in the Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts file, specifically lines 149-191.

Recommendations Upgrade to OneUptime version 10.0.7 or later to resolve this vulnerability. As a temporary workaround, audit monitor destinations for suspicious characters to prevent remote code execution.