CVE-2026-30959

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-30959
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service.

5.0 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References
Link Resource
https://github.com/OneUptime/oneuptime/releases/tag/10.0.21 Product Release Notes
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cw6x-mw64-q6pv Exploit Mitigation Vendor Advisory
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cw6x-mw64-q6pv Exploit Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
History

12 Mar 2026, 14:01

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.0
CPE cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
First Time Hackerbay oneuptime
Hackerbay
References () https://github.com/OneUptime/oneuptime/releases/tag/10.0.21 - () https://github.com/OneUptime/oneuptime/releases/tag/10.0.21 - Product, Release Notes
References () https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cw6x-mw64-q6pv - () https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cw6x-mw64-q6pv - Exploit, Mitigation, Vendor Advisory

11 Mar 2026, 13:53

Type Values Removed Values Added
Summary
  • (es) OneUptime es una solución para monitorear y gestionar servicios en línea. El endpoint resend-verification-code permite a cualquier usuario autenticado activar un reenvío de código de verificación para cualquier registro de UserWhatsApp por ID. La propiedad no se valida (a diferencia del endpoint verify). Esto afecta al endpoint UserWhatsAppAPI.ts y al servicio UserWhatsAppService.ts.

10 Mar 2026, 18:18

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-10 18:18

Updated : 2026-03-12 14:01

NVD link : CVE-2026-30959

Mitre link : CVE-2026-30959

CVE.ORG link : CVE-2026-30959

JSON object : View

Products Affected

hackerbay

  • oneuptime
CWE
CWE-285

Improper Authorization

CWE-307

Improper Restriction of Excessive Authentication Attempts

CWE-639

Authorization Bypass Through User-Controlled Key

CWE-862

Missing Authorization