HIGHCVE-2026-32308Published 2026-03-12Modified 2026-03-14CNA GitHub_M

CVE-2026-32308: OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose")

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.

CVSS v3.1: 7.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

OneUptime / oneuptime
< 10.0.23

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

References

https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh

Metrics