CVE-2025-26042

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

17/03/2025

Last modified:

26/01/2026

Description

Uptime Kuma >== 1.23.0 has a ReDoS vulnerability, specifically when an administrator creates a notification through the web service. If a string is provided it triggers catastrophic backtracking in the regular expression, leading to a ReDoS attack.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 6.00 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): High
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): High
Availability (A): High

Base Score 3.x

6.00

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://github.com/louislam/uptime-kuma/commit/7a9191761dbef6551c2a0aa6eed5f693ba48d688
https://github.com/louislam/uptime-kuma/issues/5574
https://github.com/louislam/uptime-kuma/pull/5573