CVE-2026-27728

moderate-risk

Published 2026-02-25

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field. Version 10.0.7 fixes the vulnerability.

Do I need to act?

0.34% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 8ba6d5d058b3101bd4353df85fa6f762722d3134

CVSS 9.9/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Oneuptime

Affected Vendors

Hackerbay

References (2)

Patch https://github.com/OneUptime/oneuptime/commit/f2cce35a04fac756cecc7a4c55e23758b9...

Exploit https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jmhp-5558-qxh5

/ 100

moderate-risk

Severity 33/34 · Critical

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal