GHSA-vffh-c9pq-4crh: Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read

October 20, 2025

In some Notification types (e.g., Webhook, Telegram), the send() function allows user-controlled renderTemplate input. This leads to a Server-side Template Injection (SSTI) vulnerability that can be exploited to read arbitrary files from the server.

References

github.com/advisories/GHSA-vffh-c9pq-4crh
github.com/louislam/uptime-kuma
github.com/louislam/uptime-kuma/security/advisories/GHSA-vffh-c9pq-4crh

Code Behaviors & Features

Detect and mitigate GHSA-vffh-c9pq-4crh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →