Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32308

CVE-2026-32308: Hackerbay OneUptime XSS Vulnerability

CVE-2026-32308 is a cross-site scripting flaw in Hackerbay OneUptime that enables XSS attacks through Mermaid diagrams in Markdown fields. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2026-32308 Overview

CVE-2026-32308 is a stored cross-site scripting (XSS) vulnerability in OneUptime, an open-source platform for monitoring and managing online services. The flaw exists in the Markdown viewer component, which renders Mermaid diagrams with securityLevel: "loose" and injects the resulting SVG output via innerHTML. This configuration permits interactive event bindings inside Mermaid diagrams, enabling attackers to execute arbitrary JavaScript through the Mermaid click directive. Any field that renders markdown is affected, including incident descriptions, status page announcements, and monitor notes. The vulnerability is fixed in OneUptime version 10.0.23.

Critical Impact

An authenticated user with permission to submit markdown content can execute arbitrary JavaScript in the browser session of any user who views that content, including administrators and external status page visitors.

Affected Products

  • Hackerbay OneUptime versions prior to 10.0.23
  • Markdown viewer component rendering Mermaid diagrams
  • All markdown-capable fields: incident descriptions, status page announcements, monitor notes

Discovery Timeline

  • 2026-03-13 - CVE-2026-32308 published to the National Vulnerability Database
  • 2026-03-17 - Last updated in NVD database

Technical Details for CVE-2026-32308

Vulnerability Analysis

The vulnerability is classified under [CWE-79] Improper Neutralization of Input During Web Page Generation. OneUptime's Markdown viewer integrates the Mermaid diagramming library to render flowcharts, sequence diagrams, and other diagram types embedded within markdown content. The component initializes Mermaid with the securityLevel: "loose" configuration option.

Mermaid's loose security level disables the library's internal HTML sanitization and permits interactive features such as the click directive. The click directive allows diagram authors to bind JavaScript callbacks or arbitrary URLs to diagram nodes. When combined with innerHTML injection of the rendered SVG, any script bindings declared inside the diagram source become live event handlers in the victim's browser.

Because markdown rendering is invoked across multiple application surfaces, the attack surface is broad. Status pages may be publicly accessible, extending the impact beyond authenticated tenants to unauthenticated visitors who load a poisoned status page.

Root Cause

The root cause is a permissive Mermaid configuration combined with unsafe DOM injection. Setting securityLevel: "loose" instructs Mermaid to skip output sanitization, and assigning the resulting SVG markup through innerHTML causes the browser to parse and activate any embedded event handlers or javascript: URIs the diagram produces.

Attack Vector

An authenticated attacker with permission to create or edit markdown content crafts a Mermaid code block containing a click directive that invokes JavaScript. When a victim renders the affected page, the malicious script executes in the victim's origin. The scope change in the CVSS vector reflects that script execution may escape the markdown-rendering component and act on the surrounding application context, including session tokens and API calls.

The vulnerability manifests in the Markdown viewer's Mermaid initialization path. Refer to the GitHub Security Advisory GHSA-wvh5-6vjm-23qh for vendor-provided technical details.

Detection Methods for CVE-2026-32308

Indicators of Compromise

  • Markdown content containing Mermaid code fences (```mermaid) with click directives referencing JavaScript callbacks or javascript: URIs
  • Status page, incident, or monitor records modified by accounts with unexpected access patterns
  • Browser console errors or unexpected outbound requests originating from rendered markdown views
  • SVG output in the DOM containing inline onclick, onload, or similar event-handler attributes

Detection Strategies

  • Audit OneUptime application logs for create and update events targeting markdown-capable fields prior to upgrade
  • Scan the database for Mermaid code blocks containing the strings click, callback, or javascript: within markdown fields
  • Review browser-side Content Security Policy (CSP) violation reports for inline-script blocks originating on markdown view routes

Monitoring Recommendations

  • Enable HTTP request logging for endpoints that accept incident descriptions, status page announcements, and monitor notes
  • Monitor authentication and session activity for accounts that view status pages, looking for anomalous token reuse following page loads
  • Alert on unexpected outbound XHR or fetch calls from the OneUptime web origin to attacker-controlled domains

How to Mitigate CVE-2026-32308

Immediate Actions Required

  • Upgrade all OneUptime deployments to version 10.0.23 or later without delay
  • Review and sanitize existing markdown content in incidents, status pages, and monitor notes for embedded Mermaid click directives
  • Rotate API keys and session tokens for users who may have viewed untrusted markdown content prior to patching
  • Restrict markdown-edit permissions to trusted accounts until the upgrade is complete

Patch Information

The maintainers fixed the vulnerability in OneUptime 10.0.23. The fix addresses the unsafe Mermaid securityLevel: "loose" configuration and the innerHTML-based SVG injection in the Markdown viewer component. Patch details are documented in the OneUptime GitHub Security Advisory GHSA-wvh5-6vjm-23qh.

Workarounds

  • If immediate upgrade is not possible, disable or remove Mermaid rendering in the Markdown viewer component
  • Apply a strict Content Security Policy that forbids unsafe-inline scripts and blocks javascript: URIs on pages that render markdown
  • Make status pages private and limit markdown editing to a minimal set of trusted administrators until 10.0.23 is deployed
bash
# Upgrade OneUptime to the patched release
git fetch --tags
git checkout 10.0.23
docker compose pull
docker compose up -d

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne