Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.
Published: 2026-03-12
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution (Browser XSS)
Action: Immediate Patch
AI Analysis

Impact

OneUptime Markdown viewer renders Mermaid diagrams with securityLevel set to "loose" and injects the resulting SVG via innerHTML. The "loose" setting allows interactive event bindings, enabling a malicious click directive to execute arbitrary JavaScript. This stored XSS flaw can be leveraged to run attacker-controlled code within the browser context of any user who views a compromised field such as incident descriptions, status page announcements, or monitor notes. As a result, an attacker may exfiltrate credentials, hijack sessions, or perform further attacks against the local machine.

Affected Systems

The vulnerability affects OneUptime products prior to version 10.0.23. Any installation using OneUptime :oneuptime with a markdown renderer configured to securityLevel "loose" is affected. Upgrading to version 10.0.23 or later is required to remediate this flaw.

Risk and Exploitability

The CVSS base score is 7.6, indicating a high severity. The EPSS score is reported to be below 1%, suggesting low current exploitation likelihood. The vulnerability is not cataloged in the CISA KEV listings. Attackers must trick or collaborate with a user to have them view content that contains the malicious Mermaid diagram, after which arbitrary JavaScript executes in the victim’s browser. The attack vector is user‑borne; however, the stored nature of the payload means it can persist across sessions and affect multiple users.

Generated by OpenCVE AI on March 17, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OneUptime to version 10.0.23 or later to remove the insecure Mermaid rendering configuration
  • If an upgrade is not immediately possible, re‑configure the Markdown viewer to use securityLevel "strict" or otherwise disable Mermaid click handling
  • Verify that all markdown fields (incident descriptions, status page announcements, monitor notes) are cleaned or sanitized before rendering
  • Monitor user inputs and monitor for unusual XSS activity in the application logs

Generated by OpenCVE AI on March 17, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wvh5-6vjm-23qh OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose")
History

Tue, 17 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Thu, 12 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.
Title OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose")
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-14T03:43:13.858Z

Reserved: 2026-03-11T21:16:21.659Z

Link: CVE-2026-32308

cve-icon Vulnrichment

Updated: 2026-03-14T03:43:09.143Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:42.147

Modified: 2026-03-17T20:08:07.103

Link: CVE-2026-32308

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T10:00:12Z

Weaknesses