CVE-2026-30921
OneUptime Synthetic Monitor RCE via exposed Playwright browser object
Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.
INFO
Published Date :
March 9, 2026, 10:58 p.m.
Last Modified :
March 9, 2026, 10:58 p.m.
Remotely Exploit :
No
Source :
GitHub_M
Affected Products
The following products are affected by CVE-2026-30921
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Update OneUptime to version 10.0.20 or later.
- Apply vendor patches for the synthetic monitor component.
- Review code execution environments for untrusted input.
- Restrict privileges for project users submitting Playwright code.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-30921 vulnerability anywhere in the article.