These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-53523 is a medium-severity vulnerability in Nezha Monitoring, a self-hostable, lightweight monitoring and O&M tool. Versions from 1.0.0 to before 2.2.0 are affected by a host header injection issue due to improper validation of the Host header in the getRedirectURL function. This vulnerability, with a CVSS score of 6.8, can be exploited through user interaction and requires no privileges. It has [truncated]
CVE-2026-53522 is a MEDIUM severity vulnerability in Nezha Monitoring, a self-hostable, lightweight monitoring and O&M tool. The issue allows for unbounded map growth, potentially leading to resource exhaustion, due to the lack of rate limiting, semaphores, or connection caps in the dashboard's WebSocket stream creation endpoints.
Nezha Monitoring is a self-hostable, lightweight tool for monitoring servers and websites. A vulnerability exists in versions 2.0.14 to before 2.1.0, where the PATCH /server/{id} endpoint accepts and persists nonexistent ddns_profiles IDs for a member-owned server. If another user later creates a DDNS profile with one of those IDs, the DDNS worker resolves the stored ID and dispatches an update using the [truncated]
CVE-2026-53520 is a medium-severity vulnerability in Nezha Monitoring, a self-hostable, lightweight monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing. This issue has been patched in version 2.1.0. The CVSS score for this vulnerability is 6.5, indicating a medium severity.
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves [truncated]
Nezha Monitoring, a self-hostable, lightweight tool for monitoring servers and websites, had a vulnerability from version 2.0.0 to before 2.0.14. The issue allowed for the enumeration of private services (`EnableShowInService: false`) via per-server endpoints, potentially leaking service names and timing data. This vulnerability has been patched in version 2.0.14.
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Nezha Monitoring, a self-hostable, lightweight tool for monitoring servers and websites. The issue exists from version 0.20.0 up to but not including version 2.0.10. An authenticated user with low privileges can create or update a DDNS profile with a provider webhook. This allows them to configure an arbitrary webhook URL, HTTP method, [truncated]
CVE-2026-47124 is a medium-severity vulnerability in Nezha Monitoring, a self-hostable, lightweight tool for monitoring servers and websites. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but [truncated]
CVE-2026-47120 is a high-severity vulnerability in Nezha Monitoring, a self-hostable, lightweight monitoring and O&M tool. The issue allows a RoleMember to fire other users' cron tasks via AlertRule.FailTriggerTasks without ownership checks. This vulnerability affects Nezha Monitoring versions from 1.4.0 to before 2.0.8. The issue has been patched in version 2.0.8. The CVSS score for this vulnerability is [truncated]
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler — so a RoleMember user can call them. [truncated]
A critical vulnerability was discovered in Nezha Monitoring, a self-hostable, lightweight monitoring and O&M tool. The vulnerability allows a RoleMember user to create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other te [truncated]