| CVE-2026-33143 |
|
High |
Mar 20, 2026 |
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsap
more...
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks. This issue has been patched in version 10.0.34.
less...
|
4.0.69, 4.0.68, 4.0.67, 4.0.66, 4.0.65, 4.0.64, 4.0.63, 4.0.62, 4.0.61, 4.0.60
|
| CVE-2026-33142 |
|
High |
Mar 20, 2026 |
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via
more...
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns. ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggregate endpoint can inject arbitrary SQL through crafted sort, select, or groupBy keys. This issue has been patched in version 10.0.34.
less...
|
4.0.69, 4.0.68, 4.0.67, 4.0.66, 4.0.65, 4.0.64, 4.0.63, 4.0.62, 4.0.61, 4.0.60
|
| CVE-2026-32598 |
|
Medium |
Mar 13, 2026 |
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — c
more...
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user. This vulnerability is fixed in 10.0.24.
less...
|
4.0.69, 4.0.68, 4.0.67, 4.0.66, 4.0.65, 4.0.64, 4.0.63, 4.0.62, 4.0.61, 4.0.60
|
| CVE-2026-32308 |
|
High |
Mar 13, 2026 |
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with secu
more...
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.
less...
|
4.0.69, 4.0.68, 4.0.67, 4.0.66, 4.0.65, 4.0.64, 4.0.63, 4.0.62, 4.0.61, 4.0.60
|
| CVE-2026-32306 |
|
Critical |
Mar 13, 2026 |
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregatio
more...
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.
less...
|
4.0.69, 4.0.68, 4.0.67, 4.0.66, 4.0.65, 4.0.64, 4.0.63, 4.0.62, 4.0.61, 4.0.60
|
