CVE-2026-30921

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.20

Description OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. This code runs within Node's vm and is provided with live host Playwright objects, such as browser and page. This allows an attacker to use the injected browser object to execute arbitrary code on the probe host/container via browser.browserType().launch(...). The issue stems from exposing dangerous host capabilities to untrusted code, rather than relying on traditional sandbox escapes. This can be exploited through the Test Monitor feature or by creating a malicious Synthetic Monitor, leading to server-side Remote Code Execution (RCE). The customCode is passed into SyntheticMonitor.execute(...) and then executed through VMRunner.runCodeInNodeVM(...), which creates a Node vm context and exposes host objects. The proxy wrapper does not sufficiently block property names, allowing legitimate Playwright methods to be called with the real host this binding.

Recommendations Versions prior to 10.0.20 should be updated to version 10.0.20 or later.