Authored by Achuth V P

Uptime Kuma versions 1.19.6 and below suffer from a cross site scripting vulnerability.

advisories | CVE-2023-26777

# Exploit Title: Stored XSS in uptime-kuma <= v1.19.6
# CVE: CVE-2023-26777
# Exploit Author: Achuth V P (retrymp3)
# Date: February 09, 2023
# Vendor Homepage:
# Software Link:
# Tested on: Ubuntu
# Version: <= v1.19.6
# Exploit Description: Stored Cross Site Scripting vulnerability found in Uptime Kuma v.1.19.6 and before, allows a remote attacker to execute arbitrary javascript code via the description, title, footer, and incident creation parameter of the status status page in the application.

Create a status page, while giving the title or the discription give the payload: <script>""</script><script>alert("XSS")</script>
If anyone loads the page, the javascript inside the script tag will be executed.