top of page
perceptive_background_267k.jpg

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel…

Published:

12 March 2026 at 23:00:00

Alert date:

13 March 2026 at 20:06:20

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

OneUptime monitoring solution contains a cross-site scripting (XSS) vulnerability in its Markdown viewer component. The vulnerability exists in versions prior to 10.0.23 where Mermaid diagrams are rendered with securityLevel set to 'loose' and injected via innerHTML. This configuration allows interactive event bindings that enable XSS attacks through Mermaid's click directive, executing arbitrary JavaScript. All markdown fields including incident descriptions, status page announcements, and monitor notes are vulnerable. The issue has been patched in version 10.0.23.

Technical details

Mitigation steps:

Affected products:

OneUptime

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-32308
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page