starred/uptime-kuma
1
0
Fork 0
mirror of https://github.com/louislam/uptime-kuma.git synced 2026-03-02 22:57:00 -05:00
Code Issues 754 Projects Packages Wiki Activity

Vulnerability Report Review Request #4505

New issue
Open
opened 2026-02-28 04:05:18 -05:00 by deekerman · 3 comments
deekerman commented 2026-02-28 04:05:18 -05:00
Owner
Copy link

Originally created by @J1vvoo on GitHub (Dec 4, 2025).

Originally assigned to: @louislam on GitHub.

GitHub Advisory URL for @louislam

https://github.com/louislam/uptime-kuma/security/advisories/GHSA-phcc-72j8-hccf

Originally created by @J1vvoo on GitHub (Dec 4, 2025). Originally assigned to: @louislam on GitHub. ### GitHub Advisory URL for @louislam https://github.com/louislam/uptime-kuma/security/advisories/GHSA-phcc-72j8-hccf
deekerman commented 2026-02-28 04:05:21 -05:00
Author
Owner
Copy link

@jaknz commented on GitHub (Dec 7, 2025):

I hope this is in response to: Admins and defenders gird themselves against maximum-severity server vulnerability!

@jaknz commented on GitHub (Dec 7, 2025): I hope this is in response to: [Admins and defenders gird themselves against maximum-severity server vulnerability](https://arstechnica.com/security/2025/12/admins-and-defenders-gird-themselves-against-maximum-severity-server-vulnerability/)!
deekerman commented 2026-02-28 04:05:23 -05:00
Author
Owner
Copy link

@CommanderStorm commented on GitHub (Dec 7, 2025):

@jaknz We don't use react.

@CommanderStorm commented on GitHub (Dec 7, 2025): @jaknz We don't use react.
deekerman commented 2026-02-28 04:05:23 -05:00
Author
Owner
Copy link

@J1vvoo commented on GitHub (Dec 7, 2025):

This issue is not related to the vulnerability mentioned in the Ars Technica article.
The content reported here concerns a Broken Access Control issue in which the /setup path is left exposed during the initial installation of Uptime Kuma, allowing an external user to claim the first administrator account.

Leaving this note to avoid any potential confusion.
I would appreciate it if you could review the GHSA-phcc-72j8-hccf report!

@J1vvoo commented on GitHub (Dec 7, 2025): This issue is not related to the vulnerability mentioned in the Ars Technica article. The content reported here concerns a **Broken Access Control** issue in which the /setup path is left exposed during the initial installation of Uptime Kuma, allowing an external user to claim the first administrator account. Leaving this note to avoid any potential confusion. I would appreciate it if you could review the GHSA-phcc-72j8-hccf report!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
npm-update
3.0.X
dev-better-auth
copilot/remove-password-complexity-requirements
2.2.X
copilot/sub-pr-6355
1.23.X
api-via-socketio-client
2.1.3
2.1.2
2.1.1
2.1.0
2.1.0-beta.3
2.1.0-beta.2
2.1.0-beta.1
2.1.0-beta.0
2.0.2
2.0.1
1.23.17
2.0.0
2.0.0-beta.4
2.0.0-beta.3
2.0.0-beta.2
2.0.0-beta.2-temp
2.0.0-beta.1
1.23.16
2.0.0-beta.0
1.23.15
1.23.14
1.23.13
1.23.12
1.23.11
1.23.10
1.23.9
1.23.8
1.23.7
1.23.6
1.23.5
1.23.5-beta.0
1.23.4
1.23.3
1.23.2
1.23.1
1.23.0
1.23.0-beta.1
1.23.0-beta.0
1.22.1
1.22.0
1.22.0-beta.0
1.21.3
1.21.2
1.21.2-beta.0
1.21.1
1.21.0
1.21.0-beta.1
1.21.0-beta.0
1.20.2
1.20.1
1.20.0
1.20.0-beta.0
1.19.6
1.19.5
1.19.4
1.19.3
1.19.2
1.19.1
1.19.0
1.19.0-beta.2
1.19.0-beta.1
1.19.0-beta.0
1.18.5
1.18.4
1.18.3
1.18.2
1.18.1
1.18.0
1.18.0-beta.0
1.17.1
1.17.0
1.17.0-beta.1
1.17.0-beta.0
1.16.1
1.16.0
1.16.0-beta.0
1.15.1
1.15.0
1.15.0-beta.1
1.14.1
1.15.0-beta.0
1.14.0
1.14.0-beta.2
1.13.2
1.14.0-beta.1
1.14.0-beta.0
1.13.1
1.13.0
1.13.0-beta.2
1.13.0-beta.1
1.13.0-beta.0
1.12.1
1.12.0
1.11.4
1.11.3
1.11.2
1.11.1
1.11.0
1.10.2
1.10.1
1.10.0
1.9.2
1.9.1
1.9.0
1.8.0
1.7.3
1.7.2
1.7.1
1.7.0
1.6.3
1.6.2
1.6.1
1.6.0
1.5.3
1.5.2
1.5.1
1.5.0
1.3.2
1.3.1
1.3.0
1.2.0
1.1.0
1.0.10
1.0.9
1.0.8
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0
Labels
Clear labels   
A:accessibility

   
A:api

   
A:cert-expiry

   
A:core

   
A:dashboard

   
A:deployment

   
A:documentation

   
A:domain expiry

   
A:incidents

   
A:maintenance

   
A:metrics

   
A:monitor

   
A:notifications

   
A:reports

   
A:settings

   
A:status-page

   
A:ui/ux

   
A:user-management

   
Stale

   
ai-slop

   
blocked

   
blocked-upstream

   
bug

   
cannot-reproduce

   
dependencies

   
discussion

   
duplicate

   
feature-request

   
feature-request

   
good first issue

   
hacktoberfest

   
help

   
help wanted

   
house keeping

   
invalid

   
invalid-format

   
invalid-format

   
question

   
releaseblocker 🚨

   
security

   
spam

   
type:enhance-existing

   
type:new

   
wontfix
No labels
A:accessibility
A:api
A:cert-expiry
A:core
A:dashboard
A:deployment
A:documentation
A:domain expiry
A:incidents
A:maintenance
A:metrics
A:monitor
A:notifications
A:reports
A:settings
A:status-page
A:ui/ux
A:user-management
Stale
ai-slop
blocked
blocked-upstream
bug
cannot-reproduce
dependencies
discussion
duplicate
feature-request
feature-request
good first issue
hacktoberfest
help
help wanted
house keeping
invalid
invalid-format
invalid-format
question
releaseblocker 🚨
security
spam
type:enhance-existing
type:new
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/uptime-kuma#4505
No description provided.