OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project…

OneUptime monitoring solution prior to version 10.0.21 contains a critical vulnerability that allows low-privileged authenticated users to execute arbitrary commands on the oneuptime-probe server/container. The issue stems from untrusted Synthetic Monitor code being executed in Node's vm while exposing live Playwright browser objects. Attackers can abuse Playwright APIs to spawn malicious executables, resulting in server-side remote code execution without requiring sandbox escape. The vulnerability has been patched in version 10.0.21.