cbcvebase.
CVE-2026-46716
published 2026-06-12

CVE-2026-46716: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user…

PriorityP264critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.34%
25.7th percentile
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8.

Affected

4 ranges
VendorProductVersion rangeFixed in
github.comnezhahq_nezha1.14.13 – 1.14.14
github.comnezhahq_nezha>= 1.4.0 < 1.14.15-0.20260517022419-d7526351cf971.14.15-0.20260517022419-d7526351cf97
github.comnezhahq_nezha>= 2.0.0 < 2.0.102.0.10
nezhahqnezha
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.