news - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 8.7	CVE-2026-53608	@apostrophecms/seo Vulnerable to Stored XSS via Unsanitized Google Analytics / GTM ID Injected into Script Tag_CVE-2026-53608 ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects t...	apostrophecms	@apostrophecms/seo <= 1.4.2	Jun 12, 2026	CVE
MEDIUM 6.8	CVE-2026-53523	Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection_CVE-2026-53523 Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the get...	nezhahq	nezha >= 1.0.0, < 2.2.0	Jun 12, 2026	CVE
MEDIUM 6.5	CVE-2026-53522	Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS_CVE-2026-53522 Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nez...	nezhahq	nezha >= 1.0.0, < 2.2.0	Jun 12, 2026	CVE
MEDIUM 6.4	CVE-2026-53521	Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user’s DDNS profile context_CVE-2026-53521 Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, PATCH ...	nezhahq	nezha >= 2.0.14, < 2.1.0	Jun 12, 2026	CVE
MEDIUM 6.5	CVE-2026-53520	Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing_CVE-2026-53520 Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, authen...	nezhahq	nezha >= 2.0.14, < 2.1.0	Jun 12, 2026	CVE
CRITICAL 9.1	CVE-2026-53519	Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key_CVE-2026-53519 Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the ...	nezhahq	nezha < 2.0.13	Jun 12, 2026	CVE
MEDIUM 5.3	CVE-2026-49397	Nezha Monitoring: Private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data_CVE-2026-49397 Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.0 to before version 2.0.14, privat...	nezhahq	nezha >= 2.0.0, < 2.0.14	Jun 12, 2026	CVE
HIGH 7.1	CVE-2026-49396	Nezha Monitoring: Cross-site GET request can trigger stored cron commands on a victim’s agents_CVE-2026-49396 Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.0.14, cross-...	nezhahq	nezha >= 1.0.0, < 2.0.14	Jun 12, 2026	CVE
HIGH 7.1	CVE-2026-48119	Nezha Monitoring: Authenticated agents can forge service-monitor results for other users’ services_CVE-2026-48119 Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.12, authe...	nezhahq	nezha >= 0.20.0, < 2.0.12	Jun 12, 2026	CVE
MEDIUM 6.4	CVE-2026-47268	Nezha Monitoring: Authenticated DDNS webhook configuration allows blind SSRF from the dashboard host_CVE-2026-47268 Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.10, an au...	nezhahq	nezha >= 0.20.0, < 2.0.10	Jun 12, 2026	CVE