CVE-2026-32308
Received Received - Intake
XSS in OneUptime Markdown Viewer via Unsafe Mermaid Rendering

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32308
EUVD
EUVD-2026-11720
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32308 is a high-severity stored Cross-Site Scripting (XSS) vulnerability in the OneUptime application, specifically in its Markdown viewer component that renders Mermaid diagrams.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the Mermaid library is configured with securityLevel set to "loose", which allows interactive event bindings such as click handlers within diagrams.'}, {'type': 'paragraph', 'content': 'After rendering, the SVG output is injected directly into the DOM using innerHTML without sanitization, enabling embedded event handlers in the SVG to execute arbitrary JavaScript.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this by crafting a Mermaid diagram with a click directive that executes malicious JavaScript, for example stealing cookies by sending them to an attacker-controlled server.'}, {'type': 'paragraph', 'content': 'Any markdown-rendered field in OneUptime, such as incident descriptions, status page announcements, and monitor notes, is vulnerable.'}, {'type': 'paragraph', 'content': 'This vulnerability is fixed in version 10.0.23 by changing Mermaid\'s configuration to securityLevel "strict" and sanitizing the SVG output before injecting it into the DOM.'}] [1]

Impact Analysis

This vulnerability allows attackers to execute arbitrary JavaScript in the context of the OneUptime application through stored XSS.

Potential impacts include theft of sensitive information such as cookies, which can lead to session hijacking and unauthorized access.

Because the vulnerability affects fields viewed by on-call engineers, public visitors, and team members, it can compromise multiple user roles.

The integrity of the application can be partially compromised, and attackers may perform actions on behalf of users.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting markdown-rendered fields in OneUptime for Mermaid diagrams configured with securityLevel set to "loose" and by checking if SVG output is injected via innerHTML without sanitization.'}, {'type': 'paragraph', 'content': "To detect potential exploitation attempts on your network, you can monitor HTTP requests for suspicious URLs or JavaScript execution triggered by Mermaid's click directives, such as requests to external domains carrying cookie data."}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Use network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests that may indicate data exfiltration, e.g., `tcpdump -i any -A host evil.com` to detect requests to attacker-controlled domains.'}, {'type': 'list_item', 'content': 'Search the application source code or deployed files for Mermaid configuration with `securityLevel: "loose"`, e.g., `grep -r \'securityLevel: "loose"\' ./`.'}, {'type': 'list_item', 'content': 'Inspect rendered markdown fields in the application UI for embedded Mermaid diagrams that include click directives with JavaScript payloads.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating OneUptime to version 10.0.23 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If updating is not immediately possible, apply the following mitigations:'}, {'type': 'list_item', 'content': 'Change the Mermaid configuration from `securityLevel: "loose"` to `securityLevel: "strict"` to disable interactive event bindings.'}, {'type': 'list_item', 'content': 'Sanitize the SVG output before injecting it into the DOM using a library like DOMPurify with SVG profiles enabled to prevent execution of embedded JavaScript.'}, {'type': 'list_item', 'content': 'Review and sanitize any markdown content fields that render Mermaid diagrams to remove potentially malicious click directives.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32308. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart