{"id":"CVE-2026-30887","summary":"OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE","details":"OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.","aliases":["GHSA-h343-gg57-2q67"],"modified":"2026-03-14T15:06:16.619824Z","published":"2026-03-09T22:40:04.425Z","database_specific":{"cwe_ids":["CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30887.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30887.json"},{"type":"ADVISORY","url":"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30887"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/oneuptime/oneuptime","events":[{"introduced":"0"},{"fixed":"8e90f451426b160718bdd1796b68c5ec15318101"}]}],"versions":["${CI_PIPELINE_ID}","10.0.11","10.0.15","10.0.16","10.0.17","10.0.5","10.0.7","10.0.9","6.0.$CI_PIPELINE_ID","6.0.1","6.0.12","6.0.14","6.0.15","6.0.17","6.0.18","6.0.19","6.0.2","6.0.20","6.0.21","6.0.22","6.0.23","6.0.24","6.0.25","6.0.26","6.0.27","6.0.28","7.0.1000","7.0.1004","7.0.1039","7.0.104","7.0.1055","7.0.106","7.0.1078","7.0.109","7.0.1093","7.0.11","7.0.112","7.0.114","7.0.1143","7.0.1144","7.0.1167","7.0.1174","7.0.1183","7.0.1184","7.0.119","7.0.1191","7.0.1192","7.0.1195","7.0.122","7.0.1225","7.0.1229","7.0.123","7.0.1230","7.0.1243","7.0.1246","7.0.126","7.0.1265","7.0.1290","7.0.1295","7.0.1297","7.0.130","7.0.131","7.0.1326","7.0.1327","7.0.134","7.0.1341","7.0.1353","7.0.137","7.0.1375","7.0.1377","7.0.1378","7.0.1379","7.0.1383","7.0.1388","7.0.139","7.0.1390","7.0.1392","7.0.1393","7.0.1403","7.0.141","7.0.1414","7.0.1430","7.0.1436","7.0.144","7.0.1441","7.0.1461","7.0.1469","7.0.149","7.0.1491","7.0.1494","7.0.1497","7.0.1498","7.0.1499","7.0.1500","7.0.1502","7.0.1505","7.0.1506","7.0.1510","7.0.1513","7.0.1514","7.0.1517","7.0.1528","7.0.1529","7.0.1544","7.0.155","7.0.1555","7.0.1557","7.0.1568","7.0.157","7.0.1581","7.0.1585","7.0.1586","7.0.160","7.0.162","7.0.1633","7.0.1637","7.0.1638","7.0.1642","7.0.1643","7.0.165","7.0.167","7.0.1688","7.0.169","7.0.1694","7.0.1697","7.0.1708","7.0.1709","7.0.1717","7.0.173","7.0.1733","7.0.1740","7.0.1741","7.0.1744","7.0.1745","7.0.1751","7.0.1752","7.0.1758","7.0.1762","7.0.1763","7.0.1765","7.0.1767","7.0.1769","7.0.1775","7.0.1780","7.0.1787","7.0.179","7.0.1790","7.0.1791","7.0.1792","7.0.1794","7.0.1797","7.0.18","7.0.1800","7.0.1803","7.0.1814","7.0.1815","7.0.182","7.0.1829","7.0.183","7.0.1830","7.0.1843","7.0.1852","7.0.1854","7.0.1856","7.0.1858","7.0.1860","7.0.1862","7.0.1866","7.0.1867","7.0.1870","7.0.1871","7.0.1874","7.0.1880","7.0.1881","7.0.1886","7.0.1888","7.0.1891","7.0.1894","7.0.1901","7.0.1902","7.0.1910","7.0.1914","7.0.1916","7.0.1920","7.0.1921","7.0.1924","7.0.1929","7.0.193","7.0.1930","7.0.1931","7.0.1934","7.0.1935","7.0.1940","7.0.1945","7.0.1947","7.0.1948","7.0.1965","7.0.1966","7.0.197","7.0.1978","7.0.1982","7.0.1985","7.0.1987","7.0.1989","7.0.200","7.0.2004","7.0.2009","7.0.201","7.0.2012","7.0.2014","7.0.2016","7.0.2018","7.0.2022","7.0.2032","7.0.2033","7.0.204","7.0.2051","7.0.2055","7.0.2057","7.0.2062","7.0.2063","7.0.2066","7.0.207","7.0.2084","7.0.2086","7.0.2088","7.0.2091","7.0.2092","7.0.21","7.0.2118","7.0.213","7.0.2171","7.0.2177","7.0.2178","7.0.2186","7.0.219","7.0.2190","7.0.2191","7.0.2195","7.0.2196","7.0.2200","7.0.2207","7.0.2223","7.0.2224","7.0.2231","7.0.2233","7.0.2237","7.0.2239","7.0.224","7.0.2240","7.0.2243","7.0.2246","7.0.2270","7.0.2279","7.0.228","7.0.2281","7.0.2282","7.0.2286","7.0.2287","7.0.2290","7.0.2292","7.0.2293","7.0.2296","7.0.2299","7.0.2302","7.0.2305","7.0.231","7.0.2314","7.0.2317","7.0.2319","7.0.2320","7.0.2327","7.0.2335","7.0.2338","7.0.2341","7.0.2346","7.0.2349","7.0.2354","7.0.2358","7.0.2361","7.0.2363","7.0.2371","7.0.2372","7.0.2374","7.0.2377","7.0.2380","7.0.239","7.0.2401","7.0.2402","7.0.2410","7.0.2446","7.0.2448","7.0.2449","7.0.2471","7.0.2473","7.0.2475","7.0.2476","7.0.2478","7.0.2479","7.0.2482","7.0.2487","7.0.2509","7.0.2513","7.0.2525","7.0.2550","7.0.2571","7.0.2572","7.0.2574","7.0.2589","7.0.2599","7.0.2620","7.0.2625","7.0.2628","7.0.2639","7.0.2643","7.0.2666","7.0.2721","7.0.2725","7.0.2730","7.0.2774","7.0.2825","7.0.2828","7.0.2832","7.0.2837","7.0.2846","7.0.2873","7.0.2875","7.0.2885","7.0.290","7.0.2901","7.0.2903","7.0.2908","7.0.291","7.0.2913","7.0.2920","7.0.2923","7.0.2928","7.0.2936","7.0.294","7.0.296","7.0.297","7.0.2972","7.0.2976","7.0.298","7.0.2981","7.0.2986","7.0.2988","7.0.2994","7.0.3010","7.0.3018","7.0.3026","7.0.3035","7.0.3038","7.0.3040","7.0.3052","7.0.3064","7.0.3076","7.0.3080","7.0.3086","7.0.3095","7.0.3113","7.0.3124","7.0.3126","7.0.3129","7.0.3140","7.0.3148","7.0.315","7.0.3153","7.0.3158","7.0.316","7.0.3163","7.0.3176","7.0.318","7.0.3188","7.0.3198","7.0.3200","7.0.3202","7.0.3206","7.0.321","7.0.3211","7.0.3212","7.0.3225","7.0.3227","7.0.3237","7.0.324","7.0.3240","7.0.3242","7.0.3245","7.0.3250","7.0.3260","7.0.3278","7.0.3279","7.0.328","7.0.3291","7.0.3300","7.0.3309","7.0.333","7.0.3330","7.0.3336","7.0.3338","7.0.334","7.0.3343","7.0.335","7.0.3350","7.0.3351","7.0.3357","7.0.336","7.0.3365","7.0.3377","7.0.3387","7.0.339","7.0.3393","7.0.3403","7.0.3405","7.0.341","7.0.3413","7.0.3426","7.0.3437","7.0.344","7.0.3442","7.0.3445","7.0.3448","7.0.3453","7.0.3456","7.0.346","7.0.3464","7.0.3471","7.0.348","7.0.3480","7.0.35","7.0.350","7.0.3515","7.0.3517","7.0.352","7.0.3526","7.0.3538","7.0.354","7.0.3546","7.0.3548","7.0.3549","7.0.355","7.0.3557","7.0.3565","7.0.3579","7.0.358","7.0.3599","7.0.360","7.0.361","7.0.3611","7.0.3617","7.0.362","7.0.363","7.0.365","7.0.3652","7.0.366","7.0.367","7.0.3679","7.0.368","7.0.3682","7.0.3688","7.0.369","7.0.3691","7.0.3697","7.0.3699","7.0.370","7.0.3705","7.0.3708","7.0.371","7.0.3712","7.0.3716","7.0.3717","7.0.3718","7.0.372","7.0.373","7.0.374","7.0.375","7.0.376","7.0.377","7.0.378","7.0.3786","7.0.379","7.0.38","7.0.380","7.0.381","7.0.382","7.0.3822","7.0.3826","7.0.3831","7.0.384","7.0.3840","7.0.3882","7.0.3887","7.0.39","7.0.3903","7.0.3911","7.0.3914","7.0.3918","7.0.3922","7.0.3928","7.0.393","7.0.3930","7.0.3935","7.0.3939","7.0.3949","7.0.395","7.0.3952","7.0.3956","7.0.3958","7.0.3962","7.0.3965","7.0.3966","7.0.3970","7.0.3974","7.0.3975","7.0.3976","7.0.398","7.0.3980","7.0.3987","7.0.399","7.0.3993","7.0.3995","7.0.4001","7.0.4003","7.0.4006","7.0.4019","7.0.403","7.0.4034","7.0.404","7.0.4041","7.0.4066","7.0.407","7.0.4078","7.0.4084","7.0.409","7.0.4090","7.0.4093","7.0.4098","7.0.4099","7.0.410","7.0.4100","7.0.4102","7.0.4114","7.0.4115","7.0.4116","7.0.4123","7.0.4129","7.0.413","7.0.4135","7.0.414","7.0.4142","7.0.4144","7.0.4148","7.0.4150","7.0.4156","7.0.4158","7.0.416","7.0.4161","7.0.4166","7.0.4176","7.0.4188","7.0.419","7.0.4193","7.0.4194","7.0.422","7.0.4222","7.0.4223","7.0.4226","7.0.4227","7.0.423","7.0.4230","7.0.4232","7.0.4235","7.0.4239","7.0.4245","7.0.4248","7.0.4250","7.0.4255","7.0.4257","7.0.426","7.0.4260","7.0.427","7.0.431","7.0.4310","7.0.4312","7.0.4313","7.0.432","7.0.4341","7.0.4344","7.0.4345","7.0.4346","7.0.4349","7.0.435","7.0.437","7.0.438","7.0.4395","7.0.4415","7.0.4453","7.0.4518","7.0.4541","7.0.4543","7.0.4547","7.0.4578","7.0.4585","7.0.4588","7.0.4596","7.0.4597","7.0.4604","7.0.4652","7.0.4655","7.0.4660","7.0.4663","7.0.4665","7.0.4671","7.0.4674","7.0.4676","7.0.4699","7.0.47","7.0.4717","7.0.4720","7.0.4727","7.0.4741","7.0.4748","7.0.4751","7.0.4758","7.0.4762","7.0.4763","7.0.4766","7.0.4771","7.0.4773","7.0.4808","7.0.4810","7.0.4813","7.0.4815","7.0.4816","7.0.4825","7.0.4829","7.0.4832","7.0.4836","7.0.4844","7.0.4845","7.0.4848","7.0.4849","7.0.4868","7.0.4877","7.0.4917","7.0.4922","7.0.4972","7.0.4976","7.0.4978","7.0.4981","7.0.5007","7.0.5029","7.0.5045","7.0.5058","7.0.5065","7.0.5068","7.0.5069","7.0.5077","7.0.5079","7.0.5080","7.0.5096","7.0.5098","7.0.5108","7.0.528","7.0.529","7.0.53","7.0.530","7.0.533","7.0.534","7.0.537","7.0.538","7.0.54","7.0.542","7.0.543","7.0.546","7.0.548","7.0.549","7.0.55","7.0.551","7.0.556","7.0.557","7.0.559","7.0.56","7.0.563","7.0.566","7.0.567","7.0.568","7.0.57","7.0.572","7.0.575","7.0.576","7.0.580","7.0.581","7.0.586","7.0.587","7.0.590","7.0.591","7.0.592","7.0.595","7.0.596","7.0.599","7.0.601","7.0.602","7.0.606","7.0.608","7.0.612","7.0.613","7.0.616","7.0.617","7.0.620","7.0.621","7.0.622","7.0.625","7.0.626","7.0.629","7.0.636","7.0.640","7.0.645","7.0.647","7.0.650","7.0.653","7.0.654","7.0.657","7.0.658","7.0.662","7.0.664","7.0.667","7.0.668","7.0.67","7.0.672","7.0.675","7.0.678","7.0.680","7.0.683","7.0.685","7.0.689","7.0.69","7.0.690","7.0.693","7.0.695","7.0.698","7.0.71","7.0.72","7.0.723","7.0.724","7.0.725","7.0.729","7.0.730","7.0.734","7.0.738","7.0.739","7.0.743","7.0.747","7.0.748","7.0.75","7.0.753","7.0.755","7.0.756","7.0.759","7.0.76","7.0.761","7.0.762","7.0.765","7.0.766","7.0.774","7.0.775","7.0.778","7.0.782","7.0.79","7.0.791","7.0.796","7.0.797","7.0.8","7.0.804","7.0.81","7.0.810","7.0.813","7.0.814","7.0.817","7.0.818","7.0.82","7.0.823","7.0.826","7.0.829","7.0.834","7.0.835","7.0.838","7.0.840","7.0.841","7.0.844","7.0.849","7.0.85","7.0.851","7.0.859","7.0.86","7.0.865","7.0.868","7.0.873","7.0.875","7.0.89","7.0.890","7.0.892","7.0.894","7.0.90","7.0.905","7.0.907","7.0.911","7.0.912","7.0.918","7.0.927","7.0.929","7.0.931","7.0.943","7.0.944","7.0.948","7.0.949","7.0.953","7.0.954","7.0.955","7.0.959","7.0.961","7.0.965","7.0.966","7.0.972","7.0.973","7.0.977","7.0.979","7.0.98","7.0.984","7.0.996","8.0.5124","8.0.5125","8.0.5129","8.0.5151","8.0.5159","8.0.5163","8.0.5167","8.0.5174","8.0.5181","8.0.5185","8.0.5199","8.0.5203","8.0.5209","8.0.5219","8.0.5220","8.0.5237","8.0.5239","8.0.5312","8.0.5341","8.0.5353","8.0.5355","8.0.5358","8.0.5359","8.0.5362","8.0.5380","8.0.5381","8.0.5403","8.0.5409","8.0.5416","8.0.5438","8.0.5440","8.0.5466","8.0.5469","8.0.5489","8.0.5496","8.0.5516","8.0.5567","8.0.5570","8.0.5571","8.0.5572","8.0.5574","8.0.5579","8.0.5580","8.0.5582","8.0.5584","9.0.5598","9.1.0","9.1.1","9.1.2","9.1.3","9.2.10","9.2.11","9.2.12","9.2.22","9.2.24","9.2.25","9.2.27","9.2.4","9.2.7","9.2.8","9.2.9","9.3.0","9.3.11","9.3.13","9.3.14","9.3.15","9.3.16","9.3.19","9.3.2","9.3.22","9.3.3","9.3.4","9.3.6","9.3.7","9.3.8","9.4.0","9.4.1","9.4.11","9.4.13","9.4.2","9.4.3","9.4.6","9.5.0","9.5.12","9.5.13","9.5.2","9.5.3","9.5.4","9.5.8","build-number-6149","build-number-6151","build-number-6206","build-number-6214","build-number-6343","build-number-6345","build-number-6346","build-number-6366","build-number-6372","build-number-6390","build-number-6393","build-number-6402","build-number-6408","v4.0.0","v4.0.1","v4.0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30887.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}