{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33130", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.927Z", "datePublished": "2026-03-20T09:50:55.124Z", "dateUpdated": "2026-03-20T21:18:35.209Z"}, "containers": {"cna": {"title": "Uptime Kuma: SSTI in Notification Templates Allows Arbitrary File Read (Incomplete Fix for GHSA-vffh-c9pq-4crh)", "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "lang": "en", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-v832-4r73-wx5j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-v832-4r73-wx5j"}, {"name": "https://github.com/advisories/GHSA-vffh-c9pq-4crh", "tags": ["x_refsource_MISC"], "url": "https://github.com/advisories/GHSA-vffh-c9pq-4crh"}, {"name": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.1"}], "affected": [{"vendor": "louislam", "product": "uptime-kuma", "versions": [{"version": ">= 1.23.0, < 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:50:55.124Z"}, "descriptions": [{"lang": "en", "value": "Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('\"/etc/passwd\"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1."}], "source": {"advisory": "GHSA-v832-4r73-wx5j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T21:18:17.902200Z", "id": "CVE-2026-33130", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T21:18:35.209Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33130", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T21:18:17.902200Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T21:18:30.617Z"}}], "cna": {"title": "Uptime Kuma: SSTI in Notification Templates Allows Arbitrary File Read (Incomplete Fix for GHSA-vffh-c9pq-4crh)", "source": {"advisory": "GHSA-v832-4r73-wx5j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "louislam", "product": "uptime-kuma", "versions": [{"status": "affected", "version": ">= 1.23.0, < 2.2.1"}]}], "references": [{"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-v832-4r73-wx5j", "name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-v832-4r73-wx5j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/advisories/GHSA-vffh-c9pq-4crh", "name": "https://github.com/advisories/GHSA-vffh-c9pq-4crh", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.1", "name": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('\"/etc/passwd\"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:50:55.124Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33130", "state": "PUBLISHED", "dateUpdated": "2026-03-20T21:18:35.209Z", "dateReserved": "2026-03-17T20:35:49.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T09:50:55.124Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('\"/etc/passwd\"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1."}], "id": "CVE-2026-33130", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T10:16:19.463", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/advisories/GHSA-vffh-c9pq-4crh"}, {"source": "security-advisories@github.com", "url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-v832-4r73-wx5j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}, {"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.23.0,2.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "uptime-kuma", "source": "cna", "vendor": "louislam"}, "product": "uptime-kuma", "vendor": "louislam"}], "analysis": {"en": {"generated_at": "2026-03-20T11:21:41.497504+00:00", "value": {"mitigation_remediation": ["Upgrade Uptime Kuma to version 2.2.1 or later.", "If upgrading is not immediately possible, restrict editing of notification templates to trusted users only and prohibit inclusion of unquoted absolute paths."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Read via SSTI"}, "threat_synthesis": {"affected_systems": "The products affected are the Uptime Kuma monitoring tool from the vendor louislam. Versions from 1.23.0 through 2.2.0 inclusive are impacted. The fix that fully mitigates the problem is available in version 2.2.1 and later.", "description_and_impact": "This vulnerability is a Server-side Template Injection in Uptime Kuma\u2019s notification templates that allows an attacker to read any file on the server. The issue arises because unquoted absolute paths are not properly sanitized; the LiquidJS engine falls back to require.resolve() without containment checks. Consequently, sensitive files such as /etc/passwd can be accessed. The weakness is classified as CWE-1336 (Untrusted Input in Template Engine) and CWE-98 (Improper Restriction of Operations within the Bounds of a File). The impact is a confidentiality breach, potentially giving attackers access to sensitive configuration, credentials, or host information.", "risk_and_exploitability": "The CVSS score is 6.5, indicating moderate severity. EPSS data is not provided, so the likelihood of exploitation cannot be quantified. This vulnerability is not listed in the CISA KEV catalog. Attackers would need to inject malicious content into the notification template or otherwise influence template rendering, which typically requires some level of user or configuration access. If such access is available, the vulnerability is readily exploitable. The risk is that confidential files can be read, potentially leading to further compromises if credentials or private keys are located.\n"}}}}, "created": "2026-03-20T14:13:50.903993+00:00", "updated": "2026-03-20T16:27:27.653493+00:00", "vendors": ["louislam", "louislam$PRODUCT$uptime-kuma"]}