CVE-2026-33130

CVE-2026-33130 is a medium-severity vulnerability in Uptime.kuma Uptime Kuma with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-98.

Key facts

Description

Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('"/etc/passwd"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1.

Frequently asked questions

What is CVE-2026-33130?
Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('"/etc/passwd"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1.
How severe is CVE-2026-33130?
CVE-2026-33130 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2026-33130 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (26th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-33130?
CVE-2026-33130 affects Uptime.kuma Uptime Kuma. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-33130?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-33130 have an EU (EUVD) identifier?
Yes. CVE-2026-33130 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-13670.
When was CVE-2026-33130 published?
CVE-2026-33130 was published on 2026-03-20 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Uptime.kuma Uptime Kuma

All CVEs affecting Uptime.kuma Uptime Kuma →

Other CWE-98 (PHP Remote File Inclusion) vulnerabilities

Browse all CWE-98 (PHP Remote File Inclusion) vulnerabilities →