cbcvebase.

Nezhahq Nezha vulnerabilities

13 known vulnerabilities affecting nezhahq/nezha.

Total CVEs
13
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH4MEDIUM7

Vulnerabilities

Page 1 of 1
CVE-2026-46716P2CRITICALCVSS 9.9v>= 1.4.0, < 2.0.82026-06-12
CVE-2026-46716 [CRITICAL] CWE-78 CVE-2026-46716: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global S
nvd
CVE-2026-53519P2CRITICALCVSS 9.1fixed in 2.0.132026-06-12
CVE-2026-53519 [CRITICAL] CWE-22 CVE-2026-53519: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prio Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard.
nvd
CVE-2026-46717P3HIGHCVSS 7.7v>= 1.4.0, < 2.0.82026-06-12
CVE-2026-46717 [HIGH] CWE-863 CVE-2026-46717: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather
nvd
CVE-2026-47124P3MEDIUMCVSS 6.5v>= 1.4.0, < 2.0.92026-06-12
CVE-2026-47124 [MEDIUM] CWE-200 CVE-2026-47124: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermi
nvd
CVE-2026-47268P3MEDIUMCVSS 6.4v>= 0.20.0, < 2.0.102026-06-12
CVE-2026-47268 [MEDIUM] CWE-918 CVE-2026-47268: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a serv
nvd
CVE-2026-48119P3HIGHCVSS 7.1v>= 0.20.0, < 2.0.122026-06-12
CVE-2026-48119 [HIGH] CWE-862 CVE-2026-48119: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.12, authenticated agents can forge service-monitor results for other users' services. This issue has been patched in version 2.0.12.
nvd
CVE-2026-47120P3HIGHCVSS 7.1v>= 1.4.0, < 2.0.82026-06-12
CVE-2026-47120 [HIGH] CWE-862 CVE-2026-47120: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check). This issue has been patched in version 2.0.8.
nvd
CVE-2026-53522P3MEDIUMCVSS 6.5v>= 1.0.0, < 2.2.02026-06-12
CVE-2026-53522 [MEDIUM] CWE-770 CVE-2026-53522: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal() (terminal.go:27-67) and POST /api/v1/file → createFM() (fm.go:28-6
nvd
CVE-2026-53521P3MEDIUMCVSS 6.4v>= 2.0.14, < 2.1.02026-06-12
CVE-2026-53521 [MEDIUM] CWE-863 CVE-2026-53521: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, PATCH /server/{id} accepts and persists nonexistent ddns_profiles IDs for a member-owned server. If another user later creates a DDNS profile with one of those IDs, the DDNS worker resolves the stored ID and di
nvd
CVE-2026-53523P3MEDIUMCVSS 6.8v>= 1.0.0, < 2.2.02026-06-12
CVE-2026-53523 [MEDIUM] CWE-601 CVE-2026-53523: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero validation of the Host header. This can result in host he
nvd
CVE-2026-53520P3MEDIUMCVSS 6.5v>= 2.0.14, < 2.1.02026-06-12
CVE-2026-53520 [MEDIUM] CWE-284 CVE-2026-53520: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing. This issue has been patched in version 2.1.0.
nvd
CVE-2026-49396P4HIGHCVSS 7.1v>= 1.0.0, < 2.0.142026-06-12
CVE-2026-49396 [HIGH] CWE-352 CVE-2026-49396: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.0.14, cross-site GET request can trigger stored cron commands on a victim's agents. This issue has been patched in version 2.0.14.
nvd
CVE-2026-49397P4MEDIUMCVSS 5.3v>= 2.0.0, < 2.0.142026-06-12
CVE-2026-49397 [MEDIUM] CWE-200 CVE-2026-49397: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.0 to before version 2.0.14, private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data. This issue has been patched in version 2.0.14.
nvd
Nezhahq Nezha vulnerabilities | cvebase