SCA: security update for @oneuptime/common (GHSA-4j36-39gm-8vq8)

critical Tenable Self-Hosted Container Security Plugin ID 438515

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic
Monitors allow low-privileged project users to submit custom Playwright code that is executed on the
oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is
given live host Playwright objects such as browser and page. This creates a distinct server-side RCE
primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape.
Instead, the attacker can directly use the injected Playwright browser object to reach
browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This
vulnerability is fixed in 10.0.20. (CVE-2026-30921)

Solution

Update the @oneuptime/common library and its related packages to version 10.0.20 or later.

See Also

https://github.com/advisories/GHSA-4j36-39gm-8vq8

Plugin Details

Severity: Critical

ID: 438515

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 3/9/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.71

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-30921

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/7/2026

Vulnerability Publication Date: 3/7/2026

Reference Information

CVE: CVE-2026-30921

cwe: CWE-749