[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-46716":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-13T17:48:13.121Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":460,"aliases":461,"duplicate_of":9,"upstream":463,"downstream":464,"duplicates":465,"related":466,"reserved_at":9,"published_at":467,"modified_at":467,"state":468,"summary":469,"references_raw":478,"kevs":492,"epss":493,"epss_history":496,"metrics":502,"affected":512},"CVE-2026-46716","Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8.",null,[11,40,292],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-78","Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.","weakness","Stable","Base","High",[20,24,28,32,36],{"id":21,"name":22,"techniques":23},"CAPEC-108","Command Line Execution through SQL Injection",[],{"id":25,"name":26,"techniques":27},"CAPEC-15","Command Delimiters",[],{"id":29,"name":30,"techniques":31},"CAPEC-43","Exploiting Multiple Input Interpretation Layers",[],{"id":33,"name":34,"techniques":35},"CAPEC-6","Argument Injection",[],{"id":37,"name":38,"techniques":39},"CAPEC-88","OS Command Injection",[],{"_key":41,"id":41,"name":42,"description":43,"type":15,"status":44,"abstraction":45,"likelihood_of_exploit":46,"capec":47},"CWE-269","Improper Privilege Management","The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.","Draft","Class","Medium",[48,210,288],{"id":49,"name":50,"techniques":51},"CAPEC-122","Privilege Abuse",[52],{"id":53,"name":54,"tactics":55,"countermeasures":62},"T1548","Abuse Elevation Control Mechanism",[56,59],{"id":57,"name":58},"TA0030","Defense Evasion",{"id":60,"name":61},"TA0111","Privilege Escalation",[63,68,72,76,80,85,89,93,97,101,105,109,113,117,122,126,131,136,140,144,148,153,157,161,165,169,174,178,182,186,190,194,198,202,206],{"id":64,"name":65,"tactic":66},"D3-CI","Configuration Inventory",{"name":67},"Model",{"id":69,"name":70,"tactic":71},"D3-AM","Access Modeling",{"name":67},{"id":73,"name":74,"tactic":75},"D3-DI","Data Inventory",{"name":67},{"id":77,"name":78,"tactic":79},"D3-NTPM","Network Traffic Policy Mapping",{"name":67},{"id":81,"name":82,"tactic":83},"D3-AEM","Application Exception Monitoring",{"name":84},"Detect",{"id":86,"name":87,"tactic":88},"D3-SCA","System Call Analysis",{"name":84},{"id":90,"name":91,"tactic":92},"D3-SFA","System File Analysis",{"name":84},{"id":94,"name":95,"tactic":96},"D3-FA","File Analysis",{"name":84},{"id":98,"name":99,"tactic":100},"D3-FIM","File Integrity Monitoring",{"name":84},{"id":102,"name":103,"tactic":104},"D3-OPM","Operational Process Monitoring",{"name":84},{"id":106,"name":107,"tactic":108},"D3-DA","Dynamic Analysis",{"name":84},{"id":110,"name":111,"tactic":112},"D3-EFA","Emulated File Analysis",{"name":84},{"id":114,"name":115,"tactic":116},"D3-PSA","Process Spawn Analysis",{"name":84},{"id":118,"name":119,"tactic":120},"D3-FEV","File Eviction",{"name":121},"Evict",{"id":123,"name":124,"tactic":125},"D3-AL","Account Locking",{"name":121},{"id":127,"name":128,"tactic":129},"D3-DF","Decoy File",{"name":130},"Deceive",{"id":132,"name":133,"tactic":134},"D3-FE","File Encryption",{"name":135},"Harden",{"id":137,"name":138,"tactic":139},"D3-AA","Agent Authentication",{"name":135},{"id":141,"name":142,"tactic":143},"D3-CDP","Change Default Password",{"name":135},{"id":145,"name":146,"tactic":147},"D3-SCP","System Configuration Permissions",{"name":135},{"id":149,"name":150,"tactic":151},"D3-RC","Restore Configuration",{"name":152},"Restore",{"id":154,"name":155,"tactic":156},"D3-RF","Restore File",{"name":152},{"id":158,"name":159,"tactic":160},"D3-ULA","Unlock Account",{"name":152},{"id":162,"name":163,"tactic":164},"D3-RUAA","Restore User Account Access",{"name":152},{"id":166,"name":167,"tactic":168},"D3-RD","Restore Database",{"name":152},{"id":170,"name":171,"tactic":172},"D3-SCF","System Call Filtering",{"name":173},"Isolate",{"id":175,"name":176,"tactic":177},"D3-CF","Content Filtering",{"name":173},{"id":179,"name":180,"tactic":181},"D3-LFP","Local File Permissions",{"name":173},{"id":183,"name":184,"tactic":185},"D3-RFAM","Remote File Access Mediation",{"name":173},{"id":187,"name":188,"tactic":189},"D3-CQ","Content Quarantine",{"name":173},{"id":191,"name":192,"tactic":193},"D3-CM","Content Modification",{"name":173},{"id":195,"name":196,"tactic":197},"D3-UAP","User Account Permissions",{"name":173},{"id":199,"name":200,"tactic":201},"D3-EAL","Executable Allowlisting",{"name":173},{"id":203,"name":204,"tactic":205},"D3-EDL","Executable Denylisting",{"name":173},{"id":207,"name":208,"tactic":209},"D3-HBPI","Hardware-based Process Isolation",{"name":173},{"id":211,"name":61,"techniques":212},"CAPEC-233",[213],{"id":53,"name":54,"tactics":214,"countermeasures":217},[215,216],{"id":57,"name":58},{"id":60,"name":61},[218,220,222,224,226,228,230,232,234,236,238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,274,276,278,280,282,284,286],{"id":64,"name":65,"tactic":219},{"name":67},{"id":69,"name":70,"tactic":221},{"name":67},{"id":73,"name":74,"tactic":223},{"name":67},{"id":77,"name":78,"tactic":225},{"name":67},{"id":81,"name":82,"tactic":227},{"name":84},{"id":86,"name":87,"tactic":229},{"name":84},{"id":90,"name":91,"tactic":231},{"name":84},{"id":94,"name":95,"tactic":233},{"name":84},{"id":98,"name":99,"tactic":235},{"name":84},{"id":102,"name":103,"tactic":237},{"name":84},{"id":106,"name":107,"tactic":239},{"name":84},{"id":110,"name":111,"tactic":241},{"name":84},{"id":114,"name":115,"tactic":243},{"name":84},{"id":118,"name":119,"tactic":245},{"name":121},{"id":123,"name":124,"tactic":247},{"name":121},{"id":127,"name":128,"tactic":249},{"name":130},{"id":132,"name":133,"tactic":251},{"name":135},{"id":137,"name":138,"tactic":253},{"name":135},{"id":141,"name":142,"tactic":255},{"name":135},{"id":145,"name":146,"tactic":257},{"name":135},{"id":149,"name":150,"tactic":259},{"name":152},{"id":154,"name":155,"tactic":261},{"name":152},{"id":158,"name":159,"tactic":263},{"name":152},{"id":162,"name":163,"tactic":265},{"name":152},{"id":166,"name":167,"tactic":267},{"name":152},{"id":170,"name":171,"tactic":269},{"name":173},{"id":175,"name":176,"tactic":271},{"name":173},{"id":179,"name":180,"tactic":273},{"name":173},{"id":183,"name":184,"tactic":275},{"name":173},{"id":187,"name":188,"tactic":277},{"name":173},{"id":191,"name":192,"tactic":279},{"name":173},{"id":195,"name":196,"tactic":281},{"name":173},{"id":199,"name":200,"tactic":283},{"name":173},{"id":203,"name":204,"tactic":285},{"name":173},{"id":207,"name":208,"tactic":287},{"name":173},{"id":289,"name":290,"techniques":291},"CAPEC-58","Restful Privilege Elevation",[],{"_key":293,"id":293,"name":294,"description":295,"type":15,"status":296,"abstraction":45,"likelihood_of_exploit":18,"capec":297},"CWE-862","Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.","Incomplete",[298],{"id":299,"name":300,"techniques":301},"CAPEC-665","Exploitation of Thunderbolt Protection Flaws",[302,335,373],{"id":303,"name":304,"tactics":305,"countermeasures":310},"T1211","Exploitation for Stealth",[306,307],{"id":57,"name":58},{"id":308,"name":309},"TA0005","Stealth",[311,315,319,323,327,331],{"id":312,"name":313,"tactic":314},"D3-MBT","Memory Boundary Tracking",{"name":84},{"id":316,"name":317,"tactic":318},"D3-PCSV","Process Code Segment Verification",{"name":84},{"id":320,"name":321,"tactic":322},"D3-SSC","Shadow Stack Comparisons",{"name":84},{"id":324,"name":325,"tactic":326},"D3-PSEP","Process Segment Execution Prevention",{"name":135},{"id":328,"name":329,"tactic":330},"D3-SAOR","Segment Address Offset Randomization",{"name":135},{"id":332,"name":333,"tactic":334},"D3-SFCV","Stack Frame Canary Validation",{"name":135},{"id":336,"name":337,"tactics":338,"countermeasures":344},"T1542.002","Component Firmware",[339,340,341],{"id":57,"name":58},{"id":308,"name":309},{"id":342,"name":343},"TA0110","Persistence",[345,349,353,357,361,365,369],{"id":346,"name":347,"tactic":348},"D3-SWI","Software Inventory",{"name":67},{"id":350,"name":351,"tactic":352},"D3-AVE","Asset Vulnerability Enumeration",{"name":67},{"id":354,"name":355,"tactic":356},"D3-FEMC","Firmware Embedded Monitoring Code",{"name":84},{"id":358,"name":359,"tactic":360},"D3-FV","Firmware Verification",{"name":84},{"id":362,"name":363,"tactic":364},"D3-FBA","Firmware Behavior Analysis",{"name":84},{"id":366,"name":367,"tactic":368},"D3-SU","Software Update",{"name":135},{"id":370,"name":371,"tactic":372},"D3-RS","Restore Software",{"name":152},{"id":374,"name":375,"tactics":376,"countermeasures":385},"T1556","Modify Authentication Process",[377,378,381,382],{"id":57,"name":58},{"id":379,"name":380},"TA0112","Defense Impairment",{"id":342,"name":343},{"id":383,"name":384},"TA0031","Credential Access",[386,388,390,392,394,396,400,404,406,408,410,414,418,422,426,428,430,432,434,436,438,440,442,444,448,450,452,456],{"id":64,"name":65,"tactic":387},{"name":67},{"id":77,"name":78,"tactic":389},{"name":67},{"id":69,"name":70,"tactic":391},{"name":67},{"id":94,"name":95,"tactic":393},{"name":84},{"id":98,"name":99,"tactic":395},{"name":84},{"id":397,"name":398,"tactic":399},"D3-PLA","Process Lineage Analysis",{"name":84},{"id":401,"name":402,"tactic":403},"D3-PSMD","Process Self-Modification Detection",{"name":84},{"id":114,"name":115,"tactic":405},{"name":84},{"id":90,"name":91,"tactic":407},{"name":84},{"id":118,"name":119,"tactic":409},{"name":121},{"id":411,"name":412,"tactic":413},"D3-PT","Process Termination",{"name":121},{"id":415,"name":416,"tactic":417},"D3-PS","Process Suspension",{"name":121},{"id":419,"name":420,"tactic":421},"D3-HR","Host Reboot",{"name":121},{"id":423,"name":424,"tactic":425},"D3-HS","Host Shutdown",{"name":121},{"id":127,"name":128,"tactic":427},{"name":130},{"id":132,"name":133,"tactic":429},{"name":135},{"id":154,"name":155,"tactic":431},{"name":152},{"id":149,"name":150,"tactic":433},{"name":152},{"id":175,"name":176,"tactic":435},{"name":173},{"id":179,"name":180,"tactic":437},{"name":173},{"id":183,"name":184,"tactic":439},{"name":173},{"id":187,"name":188,"tactic":441},{"name":173},{"id":191,"name":192,"tactic":443},{"name":173},{"id":445,"name":446,"tactic":447},"D3-KBPI","Kernel-based Process Isolation",{"name":173},{"id":170,"name":171,"tactic":449},{"name":173},{"id":207,"name":208,"tactic":451},{"name":173},{"id":453,"name":454,"tactic":455},"D3-ABPI","Application-based Process Isolation",{"name":173},{"id":457,"name":458,"tactic":459},"D3-WSAM","Web Session Access Mediation",{"name":173},[],[462],"GHSA-99gv-2m7h-3hh9",[],[],[],[],"2026-06-12T21:00:46.700Z","Received",{"cisa_kev":470,"cisa_ransomware":470,"cisa_vendor":9,"epss_severity":471,"epss_score":472,"severity":473,"severity_score":474,"severity_version":475,"severity_source":476,"severity_vector":477,"severity_status":468},false,"low",0.00044,"critical",9.9,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",[479,487],{"url":480,"sources":481,"tags":484},"https://github.com/nezhahq/nezha/security/advisories/GHSA-99gv-2m7h-3hh9",[482,476,483],"osv_go","nvd",[485,486],"WEB","X Refsource CONFIRM",{"url":488,"sources":489,"tags":490},"https://github.com/nezhahq/nezha",[482],[491],"PACKAGE",[],{"date":494,"score":472,"percentile":495},"2026-06-13",0.13885,[497,501],{"date":498,"score":499,"percentile":500},"2026-06-12",0.00049,0.15698,{"date":494,"score":472,"percentile":495},[503,507,510],{"source":482,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":504,"cvss_v4_0":9},{"baseScore":474,"baseSeverity":9,"vectorString":477,"impactScore":505,"exploitabilityScore":506},10,7.9,{"source":476,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":508,"cvss_v4_0":9},{"baseScore":474,"baseSeverity":509,"vectorString":477,"impactScore":505,"exploitabilityScore":506},"CRITICAL",{"source":483,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":511,"cvss_v4_0":9},{"baseScore":474,"baseSeverity":509,"vectorString":477,"impactScore":505,"exploitabilityScore":506},[513,528],{"ecosystem":514,"name":515,"vendor":516,"product":517,"cpe_part":9,"purl_type":518,"purl_namespace":516,"purl_name":517,"source":9,"versions":519},"Go","github.com/nezhahq/nezha","github.com/nezhahq","nezha","golang",[520],{"version":521,"is_range":522,"range_type":523,"version_start":524,"version_start_type":525,"version_end":526,"version_end_type":527,"fixed_in":9},"gte1_4_0_lt1_14_15_0_20260517022419_d7526351cf97",true,"semver","1.4.0","including","1.14.15-0.20260517022419-d7526351cf97","excluding",{"ecosystem":9,"name":517,"vendor":529,"product":517,"cpe_part":530,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":531},"nezhahq","a",[532],{"version":533,"is_range":522,"range_type":476,"version_start":524,"version_start_type":525,"version_end":534,"version_end_type":527,"fixed_in":9},">= 1.4.0, \u003C 2.0.8","2.0.8"]