CVE-2026-33130

Name of the Vulnerable Software and Affected Versions Uptime Kuma versions 1.23.0 through 2.2.0

Description Uptime Kuma is an open source, self-hosted monitoring tool. Versions 1.23.0 through 2.2.0 do not fully implement the fix for GHSA-vffh-c9pq-4crh, leaving the application susceptible to Server-side Template Injection (SSTI). The mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block paths enclosed in quotes. An attacker can bypass these mitigations by using unquoted absolute paths, allowing them to read any file on the server. The original fix in notification-provider.js only addresses the initial stages of file resolution in LiquidJS, but the require.resolve() fallback in liquid.node.js lacks containment checks. This allows unquoted absolute paths, such as /etc/passwd, to be successfully resolved. The blocking of quoted paths is a coincidental result of the quote characters causing a MODULE NOT FOUND error, rather than an intentional security measure.

Recommendations Update to Uptime Kuma version 2.2.1 or later.