What is the CVSS score of EUVD-2026-36598?

EUVD-2026-36598 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Nezha Monitoring are affected by EUVD-2026-36598?

Nezha Monitoring versions before 2.0.13 contain a critical unauthenticated path traversal vulnerability allowing attackers to access sensitive configuration files, API credentials, and operational…. A patch is available.

How to fix or mitigate EUVD-2026-36598?

Within 24 hours: Inventory all Nezha Monitoring deployments and determine running versions; immediately isolate dashboard servers from untrusted networks if operationally feasible. Within 7 days: Implement firewall rules restricting dashboard access to authorized administrator IP ranges; deploy WAF rules blocking path traversal patterns (../) in requests; enable detailed request logging and alerting for exploitation attempts. Within 30 days: Monitor nezhahq/nezha repository for version 2.0.13 or later patch release; develop and test upgrade procedures; evaluate alternative monitoring solutions if patch timeline extends beyond 30 days.

Nezha Monitoring EUVD-2026-36598

| CVE-2026-53519 CRITICAL

Path Traversal (CWE-22)

2026-06-12 GitHub_M

Path Traversal Nezha

9.1

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

vuln.today AI

7.5 HIGH

Remotely reachable HTTP endpoint, no auth or interaction (AV:N/AC:L/PR:N/UI:N); http.ServeFile is read-only so C:H but I:N/A:N for direct impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

Jun 12, 2026 - 23:01 EUVD

Analysis Generated

Jun 12, 2026 - 22:16 vuln.today

DescriptionCVE.org

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves ../data/config.yaml; and path.Join("admin-dist", "../data/config.yaml") normalizes to data/config.yaml - which os.Stat finds and http.ServeFile returns. No authentication required. This issue has been patched in version 2.0.13.

AnalysisAI

Unauthenticated path traversal in Nezha Monitoring (nezhahq/nezha) before 2.0.13 allows remote attackers to read arbitrary files from the dashboard host by abusing the NoRoute fallbackToFrontend handler. The handler matches the /dashboard prefix with strings.HasPrefix rather than a path-segment comparison, so a request like /dashboard../data/config.yaml is normalized by path.Join into the application's data directory and served by http.ServeFile. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Discover exposed Nezha dashboard

Delivery

Send GET /dashboard../data/config.yaml

Exploit

Bypass HasPrefix and TrimPrefix

Install

path.Join normalizes to data/config.yaml

http.ServeFile returns YAML secrets

Execute

Authenticate with leaked admin/agent secret

Impact

Pivot to monitored hosts via task execution

Recon

Discover exposed Nezha dashboard

Delivery

Send GET /dashboard../data/config.yaml

Exploit

Bypass HasPrefix and TrimPrefix

Install

path.Join normalizes to data/config.yaml

http.ServeFile returns YAML secrets

Execute

Authenticate with leaked admin/agent secret

Impact

Pivot to monitored hosts via task execution

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of the Nezha Monitoring dashboard, reachable on whatever port/host the operator exposes (typically the dashboard HTTP listener). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The signals are mostly aligned toward high real-world risk: the published CVSS3.1 vector AV:N/AC:L/PR:N/UI:N marks the bug as remotely exploitable, unauthenticated, and low-complexity, and the description confirms no authentication is required and provides a working payload. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker scans the internet for Nezha dashboards on common ports (8008, 80, 443) and issues a single unauthenticated GET request such as GET /dashboard../data/config.yaml HTTP/1.1, receiving the raw YAML containing the admin and agent secrets and database credentials. With those secrets the attacker then authenticates to the dashboard, registers as a controller of every monitored host, and uses Nezha's task-execution feature to run commands across the fleet. …
Remediation	Vendor-released patch: upgrade to Nezha 2.0.13 or later, which replaces the strings.HasPrefix check with a path-segment match; see the upstream advisory at https://github.com/nezhahq/nezha/security/advisories/GHSA-5c25-7vpj-9mqh for the fix commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Nezha Monitoring deployments and determine running versions; immediately isolate dashboard servers from untrusted networks if operationally feasible. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM This Month

6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire

CVE-2026-53522 MEDIUM This Month

6.5 Jun 12

Unbounded WebSocket stream allocation in Nezha Monitoring versions 1.0.0 through 2.1.x allows any authenticated dashboar

CVE-2026-53520 MEDIUM This Month

6.5 Jun 12

Nezha Monitoring versions 2.0.14 through 2.1.0 (exclusive) allows any authenticated user to exploit the NAT-based Host c

CVE-2026-53521 MEDIUM This Month

6.4 Jun 12

Incorrect authorization in Nezha Monitoring's DDNS profile subsystem allows an authenticated low-privilege member to pre

EUVD-2026-36598 vulnerability details – vuln.today

Back

Nezha Monitoring EUVD-2026-36598

Severity by source

CVSS VectorVendor: GitHub_M

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code