{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-53519/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-12T21:03:48.844Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-53519","@id":"https://www.cve.org/CVERecord?id=CVE-2026-53519","description":"Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves ../data/config.yaml; and path.Join(\"admin-dist\", \"../data/config.yaml\") normalizes to data/c"},"products":[{"@id":"cpe:2.3:a:nezhahq:nezha:\\<_2.0.13:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:nezhahq:nezha:\\<_2.0.13:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-12T21:03:48.844Z"}]}