Launch Week Day 1: Announcing Security Design Review
Start for Free
go

github.com/nezhahq/nezha

View on go registry
8 Total advisories
8 Vulnerabilities
0 Malware

Vulnerabilities

MEDIUM 5.3
Go

CVE-2026-49397

Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
HIGH 7.1
Go

CVE-2026-49396

Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents
HIGH 7.1
Go

CVE-2026-48119

Nezha's authenticated agents can forge service-monitor results for other users' services
MEDIUM 6.4
Go

CVE-2026-47268

Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host
MEDIUM 6.5
Go

CVE-2026-47124

Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
CRITICAL 9.9
Go

CVE-2026-46716

Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron
MEDIUM 5.4
Go

CVE-2026-47120

Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)
HIGH 8.5
Go

CVE-2026-46717

Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes