CVE-2026-32308

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-13 19:54

Updated : 2026-03-17 20:08

NVD link : CVE-2026-32308

Mitre link : CVE-2026-32308

CVE.ORG link : CVE-2026-32308

JSON object : View

Products Affected

hackerbay

oneuptime

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-32308", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.3}]}, "published": "2026-03-13T19:54:42.147", "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: \"loose\" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23."}, {"lang": "es", "value": "OneUptime es una soluci\u00f3n para monitorear y gestionar servicios en l\u00ednea. Antes de la versi\u00f3n 10.0.23, el componente visor de Markdown renderiza diagramas Mermaid con securityLevel: 'loose' e inyecta la salida SVG a trav\u00e9s de innerHTML. Esta configuraci\u00f3n permite expl\u00edcitamente enlaces de eventos interactivos en los diagramas Mermaid, lo que habilita XSS a trav\u00e9s de la directiva 'click' de Mermaid que puede ejecutar JavaScript arbitrario. Cualquier campo que renderice markdown (descripciones de incidentes, anuncios de p\u00e1ginas de estado, notas de monitores) es vulnerable. Esta vulnerabilidad se corrige en la versi\u00f3n 10.0.23."}], "lastModified": "2026-03-17T20:08:07.103", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF2F89C2-1AB8-4611-9B0B-A4CFA02C807E", "versionEndExcluding": "10.0.23"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}