CVE-2026-27728: OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()

February 25, 2026 (updated February 27, 2026)

An OS command injection vulnerability in NetworkPathMonitor.performTraceroute() allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor’s destination field.

References

github.com/OneUptime/oneuptime
github.com/OneUptime/oneuptime/commit/f2cce35a04fac756cecc7a4c55e23758b99288c1
github.com/OneUptime/oneuptime/security/advisories/GHSA-jmhp-5558-qxh5
github.com/advisories/GHSA-jmhp-5558-qxh5
nvd.nist.gov/vuln/detail/CVE-2026-27728

Code Behaviors & Features

Detect and mitigate CVE-2026-27728 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →