Detections
Analytics

SCA: security update for uptime-kuma (GHSA-7grx-f945-mj96)

high Tenable Cloud Security Plugin ID 434594

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously
 crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows
 authenticated users to install plugins from an official list of plugins. This feature is currently
 disabled in the web interface, but the corresponding API endpoints are still available after login. After
 downloading a plugin, it's installed by calling `npm install` in the installation directory of the plugin.
 Because the plugin is not validated against the official list of plugins or installed with `npm install
 --ignore-scripts`, a maliciously crafted plugin taking advantage of npm scripts can gain remote code
 execution. Version 1.22.1 contains a patch for this issue. (CVE-2023-36821)

See Also

https://github.com/advisories/GHSA-7grx-f945-mj96

Plugin Details

Severity: High

ID: 434594

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 6/1/2026

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-36821

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/1/2024

Vulnerability Publication Date: 7/5/2023

Reference Information

CVE: CVE-2023-36821

cwe: CWE-20