CVE-2026-32308: OneUptime

Overview

A high-severity cross-site scripting (XSS) vulnerability has been identified in the OneUptime monitoring and management platform. This flaw, tracked as CVE-2026-32308, allows an attacker to execute malicious JavaScript code within the application’s interface.

Vulnerability Details

In versions prior to 10.0.23, OneUptime’s Markdown viewer component is configured to render Mermaid diagrams with an insecure security setting (securityLevel: "loose"). This setting explicitly permits interactive elements within diagrams. The system then injects the generated SVG output using innerHTML without proper sanitization. An attacker can exploit this by crafting a Mermaid diagram with a malicious click directive. When this diagram is rendered, the embedded JavaScript code executes automatically in the victim’s browser context.

Any user input field that supports Markdown rendering is a potential attack vector. This includes incident descriptions, status page announcements, and monitor notes.

Potential Impact

The primary risk is a stored XSS attack. An attacker with permission to create or edit content (e.g., an incident report) could embed malicious code that executes for every user who later views that content. This could lead to:

• Session hijacking, allowing unauthorized access to user accounts.
• Defacement of status pages or internal interfaces.
• Theft of sensitive data or administrative credentials.
• Deployment of further malware within the user’s environment.

Such breaches can severely damage trust and operational integrity. For analysis of real-world data breaches, security teams can review past incidents in our breach reports.

Remediation and Mitigation

The vendor has released a fix in OneUptime version 10.0.23.

Immediate Action Required:

1. Upgrade: All users must upgrade their OneUptime installation to version 10.0.23 or later immediately. This is the only complete remediation.
2. Audit Logs: Review application and database logs for any unusual or malicious-looking Markdown content containing Mermaid diagrams, particularly with click directives.
3. User Awareness: Advise users, especially those with content-creation privileges, to be cautious of unexpected links or behavior in Markdown content until the upgrade is complete.

Temporary Mitigation (if upgrade is delayed): As a temporary workaround, administrators can consider disabling the rendering of Mermaid diagrams or implementing a strict content security policy (CSP) to block inline script execution. However, these measures may break functionality and are not a substitute for patching.

Stay informed on the latest vulnerabilities and patches by following our security news.