CVE-2026-30957

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.21

Description OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue that does not require a separate vm sandbox escape. The probe pins Playwright version 1.58.2, which allows the exploitation through the BrowserType.launch() function with attacker-controlled parameters like executablePath and args. The vulnerability is reachable through both one-shot monitor testing and normal scheduled monitor execution.

Recommendations Versions prior to 10.0.21 should be updated to version 10.0.21 or later.