CVE-2026-33396

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.35

Description OneUptime is an open-source monitoring and observability platform. A low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. The issue stems from an incomplete denylist within the sandbox used for synthetic monitor code execution, which occurs in VMRunner.runCodeInNodeVM with a live Playwright page object. Specifically, the browserType and launchServer properties/methods are not blocked, allowing an attacker to traverse page.context().browser(). browserType.launchServer(...) and spawn arbitrary processes. The vulnerability allows for full remote code execution due to the sandbox escape.

Recommendations Versions prior to 10.0.35: Update to version 10.0.35 or later to address this issue.