cbcvebase.
CVE-2026-46717
published 2026-06-12

CVE-2026-46717: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard…

PriorityP346high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.27%
18.5th percentile
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler — so a RoleMember user can call them. These handlers synchronously Send() an HTTP request to a user-controlled URL and reflect the entire response body (no size limit) back to the caller on any non-2xx response. This issue has been patched in version 2.0.8.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comnezhahq_nezha>= 1.4.0 < 1.14.15-0.20260517022419-d06d539d34c11.14.15-0.20260517022419-d06d539d34c1
nezhahqnezha
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.