CVE-2026-27574

CRITICAL

OneUptime <=9.5.13 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-27574. PoCs published by XiaomingX, mbanyamer.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-27574, targeting OneUptime's Custom JavaScript Monitor feature to achieve unauthenticated remote code execution (RCE) via arbitrary JavaScript injection. The exploit automates account registration, project creation, and payload delivery to leak sensitive environment variables and execute commands.

Description

OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape via a well-known one-liner that grants full access to the underlying process. Because the probe runs with host networking and holds all cluster credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD) in its environment variables, and monitor creation is available to the lowest role (ProjectMember) with open registration enabled by default, any anonymous user can achieve full cluster compromise in about 30 seconds. This issue has been fixed in version 10.0.5.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27574

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-27574, targeting OneUptime's Custom JavaScript Monitor feature to achieve unauthenticated remote code execution (RCE) via arbitrary JavaScript injection. The exploit automates account registration, project creation, and payload delivery to leak sensitive environment variables and execute commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OneUptime < 10.0.0

No auth needed

Prerequisites: Open registration on target instance · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by mbanyamer · poc

https://github.com/mbanyamer/CVE-2026-27574-OneUptime-RCE

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-27574, targeting OneUptime's Custom JavaScript Monitor feature to achieve unauthenticated RCE via JavaScript code injection. The exploit automates account registration, project creation, and payload execution to leak environment variables and execute commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OneUptime < 10.0.0

No auth needed

Prerequisites: Open registration on target instance · Network access to target

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 22, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/OneUptime/oneuptime/security/advisories/GHSA-v264-xqh4-9xmm

Patch x_refsource_misc

https://github.com/OneUptime/oneuptime/commit/7f9ed4d43945574702a26b7c206e38cc344fe427

View Patch ZIP pw:eip

Scores

CVSS v3 9.9

EPSS 0.0003

EPSS Percentile 8.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

hackerbay/oneuptime < 10.0.5

oneuptime/common 0 - 10.0.0npm

Published Feb 21, 2026

Tracked Since Feb 21, 2026