CVE-2026-33130

Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('"/etc/passwd"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/advisories/GHSA-vffh-c9pq-4crh	Exploit Mitigation Vendor Advisory
https://github.com/louislam/uptime-kuma/releases/tag/2.2.1	Patch Product
https://github.com/louislam/uptime-kuma/security/advisories/GHSA-v832-4r73-wx5j	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 10:16

Updated : 2026-03-24 15:24

NVD link : CVE-2026-33130

Mitre link : CVE-2026-33130

CVE.ORG link : CVE-2026-33130

JSON object : View

Products Affected

uptime.kuma

uptime_kuma

CWE

CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

{"id": "CVE-2026-33130", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T10:16:19.463", "references": [{"url": "https://github.com/advisories/GHSA-vffh-c9pq-4crh", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.1", "tags": ["Patch", "Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-v832-4r73-wx5j", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-98"}, {"lang": "en", "value": "CWE-1336"}]}], "descriptions": [{"lang": "en", "value": "Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('\"/etc/passwd\"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1."}, {"lang": "es", "value": "Uptime Kuma es una herramienta de monitoreo de c\u00f3digo abierto y autoalojada. En las versiones 1.23.0 a 2.2.0, la correcci\u00f3n de GHSA-vffh-c9pq-4crh no funciona completamente para prevenir la Inyecci\u00f3n de Plantillas del Lado del Servidor (SSTI). Las tres mitigaciones a\u00f1adidas al motor Liquid (root, relativeReference, dynamicPartials) solo bloquean rutas entre comillas. Si un proyecto utiliza una ruta absoluta sin comillas, los atacantes a\u00fan pueden leer cualquier archivo en el servidor. La correcci\u00f3n original en notification-provider.js solo restringe los dos primeros pasos de la resoluci\u00f3n de archivos de LiquidJS (a trav\u00e9s de las opciones root, relativeReference y dynamicPartials), pero el tercer paso, el fallback de require.resolve() en liquid.node.js no tiene una verificaci\u00f3n de contenci\u00f3n, permitiendo que rutas absolutas sin comillas como /etc /passwd se resuelvan con \u00e9xito. Las rutas entre comillas se bloquean solo porque los caracteres de comillas literales hacen que require.resolve('\"/etc /passwd\"') arroje un error MODULE_NOT_FOUND, no debido a ninguna medida de seguridad intencional. Este problema ha sido corregido en la versi\u00f3n 2.2.1."}], "lastModified": "2026-03-24T15:24:16.437", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F26D862B-BDCF-48F3-A4FE-071B19753CE3", "versionEndExcluding": "2.2.1", "versionStartIncluding": "1.23.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}