Critical Command Injection Flaw in OneUptime Exposes Systems to Remote Takeover A severe command injection vulnerability, tracked as CVE-2026-27728, has been discovered in OneUptime, a platform used for monitoring and managing online services. The flaw allows authenticated users to execute arbitrary operating system commands on the Probe server, risking full system compromise. The vulnerability resides in the NetworkPathMonitor.performTraceroute() function within OneUptime’s Probe Server component. The function processes user-controlled input specifically the destination field in monitor configurations using Node.js’s exec() function, which spawns shell commands. Due to improper input sanitization, attackers can inject malicious commands via shell metacharacters (e.g., `;`, `|`, `&`, `$()`, or backticks), bypassing intended traceroute operations. Exploitation requires only low-level authentication as a project user. By crafting a malicious monitor configuration (e.g., `example.com; cat /etc/passwd`), an attacker can execute arbitrary commands with the same privileges as the Probe server process. Successful exploitation could lead to data exfiltration, lateral movement, or complete server takeover. OneUptime addressed the issue in version 10.0.7, replacing the vulnerable exec() function with execFile(), which executes commands directly without shell interpretation, mitigating the injection risk. Organizations using versions prior to 10.0.7 are advised to patch immediately. Additional mitigation steps include auditing monitor configurations for suspicious inputs, monitoring for unusual system activity, and restricting Probe server access if patching is delayed.