CVE-2026-30887

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.18

Description OneUptime allows project members to execute custom Playwright/JavaScript code via Synthetic Monitors. This code is executed within the Node.js vm module, which is not a secure sandbox. An attacker can leverage a prototype-chain escape using this.constructor.constructor to bypass the sandbox and gain access to the underlying Node.js process object. This allows for arbitrary system command execution (RCE) on the oneuptime-probe container. Because the probe holds database and cluster credentials in its environment variables, a successful exploit leads to a complete cluster compromise. The vulnerability resides in the Common/Server/Utils/VM/VMRunner.ts file, specifically in the vm.runInContext() function. An attacker can use a payload like const proc = this.constructor.constructor('return process')(); to escape the sandbox and execute commands.

Recommendations Versions prior to 10.0.18 should be updated to version 10.0.18 or later.