CVE-2026-33130

{"id": "CVE-2026-33130", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T10:16:19.463", "references": [{"url": "https://github.com/advisories/GHSA-vffh-c9pq-4crh", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.1", "tags": ["Patch", "Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-v832-4r73-wx5j", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-98"}, {"lang": "en", "value": "CWE-1336"}]}], "descriptions": [{"lang": "en", "value": "Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('\"/etc/passwd\"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1."}, {"lang": "es", "value": "Uptime Kuma es una herramienta de monitoreo de c\u00f3digo abierto y autoalojada. En las versiones 1.23.0 a 2.2.0, la correcci\u00f3n de GHSA-vffh-c9pq-4crh no funciona completamente para prevenir la Inyecci\u00f3n de Plantillas del Lado del Servidor (SSTI). Las tres mitigaciones a\u00f1adidas al motor Liquid (root, relativeReference, dynamicPartials) solo bloquean rutas entre comillas. Si un proyecto utiliza una ruta absoluta sin comillas, los atacantes a\u00fan pueden leer cualquier archivo en el servidor. La correcci\u00f3n original en notification-provider.js solo restringe los dos primeros pasos de la resoluci\u00f3n de archivos de LiquidJS (a trav\u00e9s de las opciones root, relativeReference y dynamicPartials), pero el tercer paso, el fallback de require.resolve() en liquid.node.js no tiene una verificaci\u00f3n de contenci\u00f3n, permitiendo que rutas absolutas sin comillas como /etc /passwd se resuelvan con \u00e9xito. Las rutas entre comillas se bloquean solo porque los caracteres de comillas literales hacen que require.resolve('\"/etc /passwd\"') arroje un error MODULE_NOT_FOUND, no debido a ninguna medida de seguridad intencional. Este problema ha sido corregido en la versi\u00f3n 2.2.1."}], "lastModified": "2026-03-24T15:24:16.437", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F26D862B-BDCF-48F3-A4FE-071B19753CE3", "versionEndExcluding": "2.2.1", "versionStartIncluding": "1.23.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}