CVE-2026-32308
HIGHOneUptime < 10.0.23 - Stored Cross-Site Scripting via Mermaid Diagram Click Directive
Title source: llmDescription
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh
Scores
CVSS v3
7.6
EPSS
0.0005
EPSS Percentile
16.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
hackerbay/oneuptime
< 10.0.23
npm/oneuptime
0 - 10.0.23npm
OneUptime/oneuptime
< 10.0.23
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026