CVE-2026-32308
XSS in OneUptime Markdown Viewer via Unsafe Mermaid Rendering
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hackerbay | oneuptime | to 10.0.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32308 is a high-severity stored Cross-Site Scripting (XSS) vulnerability in the OneUptime application, specifically in its Markdown viewer component that renders Mermaid diagrams.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the Mermaid library is configured with securityLevel set to "loose", which allows interactive event bindings such as click handlers within diagrams.'}, {'type': 'paragraph', 'content': 'After rendering, the SVG output is injected directly into the DOM using innerHTML without sanitization, enabling embedded event handlers in the SVG to execute arbitrary JavaScript.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this by crafting a Mermaid diagram with a click directive that executes malicious JavaScript, for example stealing cookies by sending them to an attacker-controlled server.'}, {'type': 'paragraph', 'content': 'Any markdown-rendered field in OneUptime, such as incident descriptions, status page announcements, and monitor notes, is vulnerable.'}, {'type': 'paragraph', 'content': 'This vulnerability is fixed in version 10.0.23 by changing Mermaid\'s configuration to securityLevel "strict" and sanitizing the SVG output before injecting it into the DOM.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary JavaScript in the context of the OneUptime application through stored XSS.
Potential impacts include theft of sensitive information such as cookies, which can lead to session hijacking and unauthorized access.
Because the vulnerability affects fields viewed by on-call engineers, public visitors, and team members, it can compromise multiple user roles.
The integrity of the application can be partially compromised, and attackers may perform actions on behalf of users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting markdown-rendered fields in OneUptime for Mermaid diagrams configured with securityLevel set to "loose" and by checking if SVG output is injected via innerHTML without sanitization.'}, {'type': 'paragraph', 'content': "To detect potential exploitation attempts on your network, you can monitor HTTP requests for suspicious URLs or JavaScript execution triggered by Mermaid's click directives, such as requests to external domains carrying cookie data."}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Use network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests that may indicate data exfiltration, e.g., `tcpdump -i any -A host evil.com` to detect requests to attacker-controlled domains.'}, {'type': 'list_item', 'content': 'Search the application source code or deployed files for Mermaid configuration with `securityLevel: "loose"`, e.g., `grep -r \'securityLevel: "loose"\' ./`.'}, {'type': 'list_item', 'content': 'Inspect rendered markdown fields in the application UI for embedded Mermaid diagrams that include click directives with JavaScript payloads.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating OneUptime to version 10.0.23 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If updating is not immediately possible, apply the following mitigations:'}, {'type': 'list_item', 'content': 'Change the Mermaid configuration from `securityLevel: "loose"` to `securityLevel: "strict"` to disable interactive event bindings.'}, {'type': 'list_item', 'content': 'Sanitize the SVG output before injecting it into the DOM using a library like DOMPurify with SVG profiles enabled to prevent execution of embedded JavaScript.'}, {'type': 'list_item', 'content': 'Review and sanitize any markdown content fields that render Mermaid diagrams to remove potentially malicious click directives.'}] [1]