Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/oneuptime@4.0.25
Typenpm
Namespace
Nameoneuptime
Version4.0.25
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-9d1k-7634-k3gc
vulnerability_id VCID-9d1k-7634-k3gc
summary OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32308
reference_id
reference_type
scores
0
value 0.00053
scoring_system epss
scoring_elements 0.17094
published_at 2026-06-14T12:55:00Z
1
value 0.00053
scoring_system epss
scoring_elements 0.16954
published_at 2026-06-11T12:55:00Z
2
value 0.00053
scoring_system epss
scoring_elements 0.17122
published_at 2026-06-13T12:55:00Z
3
value 0.00053
scoring_system epss
scoring_elements 0.17109
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32308
1
reference_url https://github.com/OneUptime/oneuptime
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/OneUptime/oneuptime
2
reference_url https://github.com/OneUptime/oneuptime/releases/tag/10.0.23
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/OneUptime/oneuptime/releases/tag/10.0.23
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32308
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32308
4
reference_url https://github.com/advisories/GHSA-wvh5-6vjm-23qh
reference_id GHSA-wvh5-6vjm-23qh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wvh5-6vjm-23qh
5
reference_url https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh
reference_id GHSA-wvh5-6vjm-23qh
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-14T03:42:52Z/
url https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh
fixed_packages
0
url pkg:npm/oneuptime@10.0.23
purl pkg:npm/oneuptime@10.0.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/oneuptime@10.0.23
aliases CVE-2026-32308, GHSA-wvh5-6vjm-23qh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9d1k-7634-k3gc
1
url VCID-gwgx-g4us-j7er
vulnerability_id VCID-gwgx-g4us-j7er
summary OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns. ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggregate endpoint can inject arbitrary SQL through crafted sort, select, or groupBy keys. This issue has been patched in version 10.0.34.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33142
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02914
published_at 2026-06-14T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02907
published_at 2026-06-11T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02903
published_at 2026-06-13T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02917
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33142
1
reference_url https://github.com/OneUptime/oneuptime
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/OneUptime/oneuptime
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33142
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33142
3
reference_url https://github.com/advisories/GHSA-gcg3-c5p2-cqgg
reference_id GHSA-gcg3-c5p2-cqgg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gcg3-c5p2-cqgg
4
reference_url https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gcg3-c5p2-cqgg
reference_id GHSA-gcg3-c5p2-cqgg
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:41:51Z/
url https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gcg3-c5p2-cqgg
fixed_packages
0
url pkg:npm/oneuptime@10.0.34
purl pkg:npm/oneuptime@10.0.34
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/oneuptime@10.0.34
aliases CVE-2026-33142, GHSA-gcg3-c5p2-cqgg
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gwgx-g4us-j7er
2
url VCID-paar-mre8-fbgz
vulnerability_id VCID-paar-mre8-fbgz
summary OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32306
reference_id
reference_type
scores
0
value 0.00528
scoring_system epss
scoring_elements 0.67679
published_at 2026-06-13T12:55:00Z
1
value 0.00528
scoring_system epss
scoring_elements 0.67676
published_at 2026-06-14T12:55:00Z
2
value 0.00528
scoring_system epss
scoring_elements 0.67577
published_at 2026-06-11T12:55:00Z
3
value 0.00528
scoring_system epss
scoring_elements 0.67666
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32306
1
reference_url https://github.com/OneUptime/oneuptime
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/OneUptime/oneuptime
2
reference_url https://github.com/OneUptime/oneuptime/releases/tag/10.0.23
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/OneUptime/oneuptime/releases/tag/10.0.23
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32306
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32306
4
reference_url https://github.com/advisories/GHSA-p5g2-jm85-8g35
reference_id GHSA-p5g2-jm85-8g35
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p5g2-jm85-8g35
5
reference_url https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p5g2-jm85-8g35
reference_id GHSA-p5g2-jm85-8g35
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-14T03:42:10Z/
url https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p5g2-jm85-8g35
fixed_packages
0
url pkg:npm/oneuptime@10.0.23
purl pkg:npm/oneuptime@10.0.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/oneuptime@10.0.23
aliases CVE-2026-32306, GHSA-p5g2-jm85-8g35
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-paar-mre8-fbgz
3
url VCID-ugpa-g28u-byce
vulnerability_id VCID-ugpa-g28u-byce
summary OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks. This issue has been patched in version 10.0.34.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33143
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.03103
published_at 2026-06-12T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.03097
published_at 2026-06-14T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.0309
published_at 2026-06-11T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.03085
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33143
1
reference_url https://github.com/OneUptime/oneuptime
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/OneUptime/oneuptime
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33143
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33143
3
reference_url https://github.com/advisories/GHSA-g5ph-f57v-mwjc
reference_id GHSA-g5ph-f57v-mwjc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g5ph-f57v-mwjc
4
reference_url https://github.com/OneUptime/oneuptime/security/advisories/GHSA-g5ph-f57v-mwjc
reference_id GHSA-g5ph-f57v-mwjc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:00:21Z/
url https://github.com/OneUptime/oneuptime/security/advisories/GHSA-g5ph-f57v-mwjc
fixed_packages
0
url pkg:npm/oneuptime@10.0.34
purl pkg:npm/oneuptime@10.0.34
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/oneuptime@10.0.34
aliases CVE-2026-33143, GHSA-g5ph-f57v-mwjc
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ugpa-g28u-byce
4
url VCID-vzkv-wwxq-jqfz
vulnerability_id VCID-vzkv-wwxq-jqfz
summary OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user. This vulnerability is fixed in 10.0.24.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32598
reference_id
reference_type
scores
0
value 0.00039
scoring_system epss
scoring_elements 0.12025
published_at 2026-06-14T12:55:00Z
1
value 0.00039
scoring_system epss
scoring_elements 0.11948
published_at 2026-06-11T12:55:00Z
2
value 0.00039
scoring_system epss
scoring_elements 0.12045
published_at 2026-06-13T12:55:00Z
3
value 0.00039
scoring_system epss
scoring_elements 0.12043
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32598
1
reference_url https://github.com/OneUptime/oneuptime
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/OneUptime/oneuptime
2
reference_url https://github.com/OneUptime/oneuptime/releases/tag/10.0.23
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/OneUptime/oneuptime/releases/tag/10.0.23
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32598
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32598
4
reference_url https://github.com/advisories/GHSA-4524-cj9j-g4fj
reference_id GHSA-4524-cj9j-g4fj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4524-cj9j-g4fj
5
reference_url https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4524-cj9j-g4fj
reference_id GHSA-4524-cj9j-g4fj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-14T03:44:54Z/
url https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4524-cj9j-g4fj
fixed_packages
0
url pkg:npm/oneuptime@10.0.23
purl pkg:npm/oneuptime@10.0.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/oneuptime@10.0.23
aliases CVE-2026-32598, GHSA-4524-cj9j-g4fj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vzkv-wwxq-jqfz
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/oneuptime@4.0.25