pkg:Go/github.com/nezhahq/nezha

6 total CVEsCRITICAL1HIGH2MEDIUM3

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.9CVE-2026-46716Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron
    >= 1.4.0, < 1.14.15-0.20260517022419-d7526351cf97
  • HIGH8.5CVE-2026-46717Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification
    >= 1.4.0, < 1.14.15-0.20260517022419-d06d539d34c1
  • HIGH7.1CVE-2026-48119Nezha's authenticated agents can forge service-monitor results for other users' services
    >= 0.20.0, < 1.14.15-0.20260521020202-02129f16fb15
  • MEDIUM6.5CVE-2026-47124Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
    >= 1.4.0, < 1.14.15-0.20260517034128-05e5da253519
  • MEDIUM6.4CVE-2026-47268Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host
    >= 0.20.0, < 2.0.10
  • MEDIUM5.4CVE-2026-47120Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)
    >= 1.4.0, < 1.14.15-0.20260517022419-d7526351cf97
Go/github.com/nezhahq/nezha — 6 CVEs · VulnScope