CRITICAL9.9CVE-2026-46716Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron >= 1.4.0, < 1.14.15-0.20260517022419-d7526351cf97
HIGH8.5CVE-2026-46717Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification >= 1.4.0, < 1.14.15-0.20260517022419-d06d539d34c1
HIGH7.1Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents
>= 1.0.0, < 2.0.14
HIGH7.1Nezha's authenticated agents can forge service-monitor results for other users' services
>= 0.20.0, < 1.14.15-0.20260521020202-02129f16fb15
MEDIUM6.5Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
>= 1.4.0, < 1.14.15-0.20260517034128-05e5da253519
MEDIUM6.4Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host
>= 0.20.0, < 2.0.10
MEDIUM5.4Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)
>= 1.4.0, < 1.14.15-0.20260517022419-d7526351cf97
MEDIUM5.3Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
>= 2.0.0, < 2.0.14