Uptime Kuma versions 1.19.6 and below suffer from a cross site scripting vulnerability.
c06aee89dac8ccf26268e2419ba45a3adefeed2d8ae5fefbad514866b66727f5
# Exploit Title: Stored XSS in uptime-kuma <= v1.19.6
# CVE: CVE-2023-26777
# Exploit Author: Achuth V P (retrymp3)
# Date: February 09, 2023
# Vendor Homepage: https://github.com/louislam/
# Software Link: https://github.com/louislam/uptime-kuma
# Tested on: Ubuntu
# Version: <= v1.19.6
# Exploit Description: Stored Cross Site Scripting vulnerability found in Uptime Kuma v.1.19.6 and before, allows a remote attacker to execute arbitrary javascript code via the description, title, footer, and incident creation parameter of the status status page in the application.
Create a status page, while giving the title or the discription give the payload: <script>""</script><script>alert("XSS")</script>
If anyone loads the page, the javascript inside the script tag will be executed.