CVE-2026-29779

Published: Mar 7, 2026

Modified: Mar 9, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for client use) and workerConfig (server-only, contains sensitive data) from the same module. Due to pages/incidents.tsx importing and using workerConfig directly inside client-side component code, the entire workerConfig object was included in the client-side JavaScript bundle served to all visitors. This issue has been patched via commit 377a596.

Vendor	Product	Versions
lyc8503	UptimeFlare	affected `< 377a5963c66ba9a798abebfe8d80378b053435e9`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/lyc8503/UptimeFlare/security/advisories/GHSA-36q9-v7p3-vj6v

x_refsource_CONFIRM

https://github.com/lyc8503/UptimeFlare/issues/198

x_refsource_MISC

https://github.com/lyc8503/UptimeFlare/commit/377a5963c66ba9a798abebfe8d80378b053435e9

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-29779

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References