CVE-2026-45102 CRITICAL

CVE-2026-45102: OneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion

Vendor Oneuptime
Product oneuptime
Weakness CWE-693
Published May 27, 2026
Last update May 30, 2026

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 30, 2026 Record updated