CVE-2026-33130
CVE-2026-33130 is a medium-severity vulnerability in Uptime.kuma Uptime Kuma with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-98.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 0% (26th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-13670
- Weakness: CWE-98
- Affected product: Uptime.kuma Uptime Kuma
- Published:
- Last modified:
Description
Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('"/etc/passwd"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1.
Frequently asked questions
- What is CVE-2026-33130?
- Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('"/etc/passwd"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1.
- How severe is CVE-2026-33130?
- CVE-2026-33130 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-33130 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (26th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-33130?
- CVE-2026-33130 affects Uptime.kuma Uptime Kuma. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-33130?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-33130 have an EU (EUVD) identifier?
- Yes. CVE-2026-33130 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-13670.
- When was CVE-2026-33130 published?
- CVE-2026-33130 was published on 2026-03-20 and last updated on 2026-06-17.
References
- https://github.com/advisories/GHSA-vffh-c9pq-4crh
- https://github.com/louislam/uptime-kuma/releases/tag/2.2.1
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-v832-4r73-wx5j
Affected products (1)
- cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*
More vulnerabilities in Uptime.kuma Uptime Kuma
- CVE-2023-49804 — Medium (CVSS 6.7): Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login…
- CVE-2023-44400 — Medium (CVSS 6.7): Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can…
- CVE-2023-49276 — Medium (CVSS 6.3): Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in…
- CVE-2023-49805 — Medium (CVSS 6.0): Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket…
- CVE-2026-32230 — Medium (CVSS 5.3): Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET…
All CVEs affecting Uptime.kuma Uptime Kuma →
Other CWE-98 (PHP Remote File Inclusion) vulnerabilities
- CVE-2025-25174 — Critical (CVSS 10.0): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability…
- CVE-2012-10025 — Critical (CVSS 10.0): The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI)…
- CVE-2026-41228 — Critical (CVSS 9.9): Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint…
- CVE-2025-31340 — Critical (CVSS 9.9): A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course…
- CVE-2023-5199 — Critical (CVSS 9.9): The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and…
- CVE-2026-7515 — Critical (CVSS 9.8): The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0…
Browse all CWE-98 (PHP Remote File Inclusion) vulnerabilities →