{"id":"CVE-2023-26777","details":"Cross Site Scripting vulnerability found in : louislam Uptime Kuma v.1.19.6 and before allows a remote attacker to execute arbitrary commands via the description, title, footer, and incident creation parameter of the status_page.js endpoint.","modified":"2026-04-11T16:35:04.095510Z","published":"2023-04-04T15:15:09.103Z","references":[{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/171699/Uptime-Kuma-1.19.6-Cross-Site-Scripting.html"},{"type":"REPORT","url":"https://github.com/louislam/uptime-kuma/issues/2186"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/louislam/uptime-kuma","events":[{"introduced":"0"},{"last_affected":"2b57b3e863954c9d9cf7911b76f600bb8de4c41b"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.19.6"}],"cpe":"cpe:2.3:a:uptime_kuma_project:uptime_kuma:*:*:*:*:*:*:*:*"}}],"versions":["1.0.0","1.0.1","1.0.10","1.0.2","1.0.3","1.0.4","1.0.5","1.0.7","1.0.8","1.0.9","1.1.0","1.10.0","1.10.1","1.10.2","1.11.0","1.11.1","1.11.2","1.11.3","1.11.4","1.12.0","1.12.1","1.14.0-beta.1","1.14.0-beta.2","1.16.0-beta.0","1.17.0","1.17.0-beta.0","1.17.0-beta.1","1.17.1","1.19.0","1.19.0-beta.1","1.19.0-beta.2","1.19.1","1.19.2","1.19.3","1.19.4","1.19.5","1.19.6","1.2.0","1.3.0","1.3.1","1.3.2","1.6.0","1.7.0","1.9.0","1.9.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-26777.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}