Donate Telegram

CVE-2026-30959

MEDIUM CVSS 4.0: 5.3 EPSS 0.04%

Mar 10, 2026

Updated Mar 10, 2026

Oneuptime

Parameter	Value
CVSS	5.3 (MEDIUM)
Type	CWE-307, CWE-639 (Authorization Bypass), CWE-862 (Missing Authorization), CWE-285 (Improper Authorization)
Vendor	Oneuptime
Public PoC	No

OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint).

This affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

None

No data modification

Availability

Low

Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-639 Authorization Bypass

CWE-862 Missing Authorization

CWE-285 Improper Authorization

References 2

https://github.com/OneUptime/oneuptime/releases/tag/10.0.21

security-advisories@github.com

https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cw6x-mw64-q6pv

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-32308

Oneuptime

CVE-2026-32306

Oneuptime

CVE-2026-30958

Oneuptime

CVE-2026-30957

Oneuptime

CVE-2026-30956

Oneuptime

CVE Details

CVE ID

CVE-2026-30959

Published Date

Mar 10, 2026

Vendor

Oneuptime

Severity

MEDIUM

CVSS v4.0 Score

5.3

Medium severity. Plan remediation.

Exploit Prediction (EPSS)

Probability of Exploit 0.04%

Likelihood of exploitation in next 30 days

Percentile: 11.8th percentile (higher than 11.8% of all CVEs)

Standard patching cycle

Impact

Partial service disruption

Source

Editor's Choice