{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T12:55:31.883","vulnerabilities":[{"cve":{"id":"CVE-2026-32308","sourceIdentifier":"security-advisories@github.com","published":"2026-03-13T19:54:42.147","lastModified":"2026-03-17T20:08:07.103","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: \"loose\" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23."},{"lang":"es","value":"OneUptime es una solución para monitorear y gestionar servicios en línea. Antes de la versión 10.0.23, el componente visor de Markdown renderiza diagramas Mermaid con securityLevel: 'loose' e inyecta la salida SVG a través de innerHTML. Esta configuración permite explícitamente enlaces de eventos interactivos en los diagramas Mermaid, lo que habilita XSS a través de la directiva 'click' de Mermaid que puede ejecutar JavaScript arbitrario. Cualquier campo que renderice markdown (descripciones de incidentes, anuncios de páginas de estado, notas de monitores) es vulnerable. Esta vulnerabilidad se corrige en la versión 10.0.23."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":4.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.23","matchCriteriaId":"AF2F89C2-1AB8-4611-9B0B-A4CFA02C807E"}]}]}],"references":[{"url":"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-wvh5-6vjm-23qh","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}