CVE-2026-32308

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.23

Description OneUptime, a service for monitoring and managing online services, has an issue where the Markdown viewer component renders Mermaid diagrams with a security level set to "loose". This setting, combined with the use of innerHTML to inject the SVG output, allows interactive event bindings within Mermaid diagrams. Specifically, the click directive in Mermaid can be exploited to execute arbitrary JavaScript. This impacts any field that renders markdown, including incident descriptions, status page announcements, and monitor notes. The vulnerability allows for stored cross-site scripting (XSS) attacks, potentially leading to the exfiltration of sensitive information like cookies. The issue stems from the configuration of Mermaid, which permits interactive bindings when securityLevel is set to "loose", and the direct injection of the resulting SVG into the DOM using innerHTML. A proof-of-concept demonstrates the ability to exfiltrate cookies by embedding a malicious Mermaid diagram within an incident note. The vulnerability affects any markdown-rendered field within the OneUptime application.

Recommendations Versions prior to 10.0.23 should be updated to version 10.0.23 or later.