OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel…

OneUptime monitoring solution contains a cross-site scripting (XSS) vulnerability in its Markdown viewer component. The vulnerability exists in versions prior to 10.0.23 where Mermaid diagrams are rendered with securityLevel set to 'loose' and injected via innerHTML. This configuration allows interactive event bindings that enable XSS attacks through Mermaid's click directive, executing arbitrary JavaScript. All markdown fields including incident descriptions, status page announcements, and monitor notes are vulnerable. The issue has been patched in version 10.0.23.