CVE-2026-45102
CRITICALOneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion
Title source: cnaDescription
OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-g9cp-35m2-fjv6
Scores
CVSS v3
9.9
EPSS
0.0027
EPSS Percentile
18.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-693
Status
published
Products (1)
OneUptime/oneuptime
< 10.0.98
Published
May 27, 2026
Tracked Since
May 28, 2026