CVE-2026-32308 HIGH

CVE-2026-32308: OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose")

Vendor Oneuptime

Product oneuptime

Weakness CWE-79 · XSS

Published March 12, 2026

Last update March 14, 2026

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.

Key dates

02Disclosure timeline

March 12, 2026 CVE published

March 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32308 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-6363 Stock Ticker <= 3.24.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via stock_ticker Shortcode CVE-2024-36199 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2023-44144 WordPress Dreamfox Media Payment gateway per Product for Woocommerce Plugin <= 3.2.7 is vulnerable to Cross Site Scripting (XSS) CVE-2025-67912 WordPress Stars Testimonials plugin <= 3.3.4 - Cross Site Scripting (XSS) vulnerability CVE-2024-29820 WordPress PDF Builder for WPForms plugin <= 1.2.88 - Cross Site Scripting (XSS) vulnerability