CVE-2026-30958

HIGH WAF: High

CVSS 8.6 Published: 2026-03-10

CWE-22

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.

WAF Coverage Analysis

Path Traversal High WAF Coverage

OWASP: A01:2021 Broken Access Control

930xxx - Local File Inclusion

Affected Software

Vendor	Product	Version
hackerbay	oneuptime	up to 10.0.21

References

github.com (Product, Release Notes)
github.com (Exploit, Mitigation, Vendor Advisory)

Back to CVE Database