CVE-2026-33130
Received Received - Intake
Server-Side Template Injection in Uptime Kuma Allows File Read

Publication date: 2026-03-20

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('"/etc/passwd"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33130
EUVD
EUVD-2026-13670
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uptime.kuma uptime_kuma From 1.23.0 (inc) to 2.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33130 is a Server-side Template Injection (SSTI) vulnerability in Uptime Kuma, an open source monitoring tool. It affects versions 1.23.0 through 2.2.0 due to an incomplete fix for a previous vulnerability. The issue arises because the LiquidJS template engine used in notification templates does not fully block unquoted absolute file paths. Attackers can exploit this by injecting malicious template code that uses unquoted absolute paths, such as /etc/passwd, to read arbitrary files on the server.'}, {'type': 'paragraph', 'content': "The vulnerability exists because the LiquidJS engine's fallback file resolution step uses require.resolve() without containment checks, allowing unquoted absolute paths to resolve successfully. Quoted paths are blocked only incidentally due to module resolution errors caused by literal quotes, not by intentional security measures. This allows an authenticated attacker to craft notification templates that leak sensitive server files."}] [2, 3, 1]

Impact Analysis

This vulnerability allows an attacker with authenticated access to read arbitrary files on the server running Uptime Kuma. This can lead to disclosure of sensitive information such as configuration files, credentials, or other private data stored on the server.

Because the vulnerability affects notification templates, an attacker can craft malicious templates that, when triggered, send the contents of arbitrary files to attacker-controlled webhook endpoints. This compromises confidentiality but does not affect integrity or availability.

The attack complexity is low, requiring only authenticated access and no user interaction beyond the attacker’s own actions. The CVSS v3.1 base score is 6.5, indicating moderate severity.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the Server-side Template Injection (SSTI) in Uptime Kuma notification templates. Specifically, an authenticated user can test if the system is vulnerable by injecting template tags that try to read sensitive files, such as the /etc/passwd file.'}, {'type': 'paragraph', 'content': "A practical detection method involves logging into Uptime Kuma, editing a monitor's notification settings to use a webhook notification type, and modifying the custom request body to include a malicious template tag like `{% render /etc/passwd %}` or `{% include /etc/passwd %}`. If the webhook endpoint receives the contents of the targeted file, the system is vulnerable."}, {'type': 'paragraph', 'content': 'No specific network commands are provided in the resources, but monitoring outgoing webhook requests for unexpected file contents or unusual template tags can help detect exploitation attempts.'}] [2, 3]

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Uptime Kuma to version 2.2.1 or later, where the vulnerability has been fixed by updating the LiquidJS template engine and removing unsafe file-inclusion tags such as `render`, `include`, and `layout` from notification templates.

If upgrading is not immediately possible, a suggested workaround is to remove or disable the file-inclusion tags (`render`, `include`, `layout`) from the LiquidJS engine used in notification templates to block the attack vector while preserving normal template functionality.

Additionally, restricting authenticated user access and implementing Role-Based Access Control (RBAC) can reduce the risk, since exploitation requires authenticated access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33130. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart