Headline

GHSA-m449-vh5f-574g: OneUptime Unauthorized User Creation via API

Summary

A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface.

PoC

A low-permission user sends a crafted API request to the user-creation endpoint and the system creates the account successfully. WhatsApp Image 2025-11-23 at 14 27 32_0e0f5889

Impact

This allows attackers to create unauthorized accounts.

2 hours ago

ghsa

Open in Source

#nodejs #git #auth #sap

GitHub Advisory Database
GitHub Reviewed
CVE-2025-65966

OneUptime Unauthorized User Creation via API

High severity GitHub Reviewed Published Nov 26, 2025 in OneUptime/oneuptime • Updated Nov 26, 2025

Package

npm @oneuptime/common (npm)

Affected versions

< 9.1.0

Summary

A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface.

PoC

A low-permission user sends a crafted API request to the user-creation endpoint and the system creates the account successfully.

Impact

This allows attackers to create unauthorized accounts.

References

GHSA-m449-vh5f-574g
OneUptime/oneuptime@07bc6d4

Published to the GitHub Advisory Database

Nov 26, 2025

Last updated

Nov 26, 2025

ghsa: Latest News

GHSA-q279-jhrf-cc6v: Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack

2 hours ago

ghsa

GHSA-vqpr-j7v3-hqw9: Valibot has a ReDoS vulnerability in `EMOJI_REGEX`

2 hours ago

ghsa

GHSA-m449-vh5f-574g: OneUptime Unauthorized User Creation via API

2 hours ago

ghsa

GHSA-x6vr-q3vf-vqgq: REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]

21 hours ago

ghsa

GHSA-2fjw-whxm-9v4q: libnftnl has Heap-based Buffer Overflow in nftnl::Batch::with_page_size (nftnl-rs)

22 hours ago

ghsa