216.73.216.6

CVE-2026-46716

· Published 13/06/2026 00:16 · Modified 12/06/2026 22:16 · Author: The MITRE Corporation

Labels: CVE-2026-46716 2026-06-12CVE-2026-46716CWE-78[email protected]

Essential information

Published
13/06/2026 00:16
Modified
12/06/2026 22:16
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
9.9 CRITICAL (v3.1)
CISA KEV
No
CWE
CWE-78
EPSS (First)
P15.7% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00049)
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS metrics

Description

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
nezha / nezha monitoring cpe:2.3:a:nezha:nezha_monitoring:1.4.0-2.0.8:*:*:*:*:*:*:*

References