apk package
chainguard/grafana-12.0
pkg:apk/chainguard/grafana-12.0
Vulnerabilities (38)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27140 | Hig | 8.8 | < 12.0.10-r1 | 12.0.10-r1 | Apr 8, 2026 | SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. | |
| CVE-2026-33817 | — | < 12.0.10-r0 | 12.0.10-r0 | Apr 6, 2026 | Rejected reason: CVE confirmed to be a false positive | ||
| CVE-2026-27880 | Hig | 7.5 | < 12.0.10-r0 | 12.0.10-r0 | Mar 27, 2026 | The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. | |
| CVE-2026-27142 | Med | 6.1 | < 12.0.10-r1 | 12.0.10-r1 | Mar 6, 2026 | Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap | |
| CVE-2026-27139 | Low | 2.5 | < 12.0.10-r1 | 12.0.10-r1 | Mar 6, 2026 | On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary | |
| CVE-2026-25679 | Hig | 7.5 | < 12.0.10-r1 | 12.0.10-r1 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2026-21722 | — | < 12.0.10-r0 | 12.0.10-r0 | Feb 12, 2026 | Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did n | ||
| CVE-2025-68121 | Cri | 10.0 | < 12.0.10-r0 | 12.0.10-r0 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61732 | — | < 12.0.10-r0 | 12.0.10-r0 | Feb 5, 2026 | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | ||
| CVE-2025-41115 | — | < 0 | 0 | Nov 21, 2025 | SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vuln | ||
| CVE-2025-47914 | — | < 0 | 0 | Nov 19, 2025 | SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. | ||
| CVE-2025-58181 | — | < 0 | 0 | Nov 19, 2025 | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | ||
| CVE-2025-47907 | — | < 12.0.3-r1 | 12.0.3-r1 | Aug 7, 2025 | Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex | ||
| CVE-2025-8556 | Low | 3.7 | < 12.0.1-r3 | 12.0.1-r3 | Aug 6, 2025 | A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange. | |
| CVE-2025-48371 | — | < 12.0.1-r2 | 12.0.1-r2 | May 22, 2025 | OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Us | ||
| CVE-2025-46331 | — | < 12.0.0-r3 | 12.0.0-r3 | Apr 30, 2025 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c | ||
| CVE-2025-30153 | Hig | 7.5 | < 0 | 0 | Mar 19, 2025 | kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system | |
| CVE-2025-27144 | Med | — | < 0 | 0 | Feb 24, 2025 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par |
- affected < 12.0.10-r1fixed 12.0.10-r1
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
- CVE-2026-33817Apr 6, 2026affected < 12.0.10-r0fixed 12.0.10-r0
Rejected reason: CVE confirmed to be a false positive
- affected < 12.0.10-r0fixed 12.0.10-r0
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
- affected < 12.0.10-r1fixed 12.0.10-r1
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
- affected < 12.0.10-r1fixed 12.0.10-r1
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
- affected < 12.0.10-r1fixed 12.0.10-r1
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- CVE-2026-21722Feb 12, 2026affected < 12.0.10-r0fixed 12.0.10-r0
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did n
- affected < 12.0.10-r0fixed 12.0.10-r0
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61732Feb 5, 2026affected < 12.0.10-r0fixed 12.0.10-r0
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
- CVE-2025-41115Nov 21, 2025affected < 0fixed 0
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vuln
- CVE-2025-47914Nov 19, 2025affected < 0fixed 0
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
- CVE-2025-58181Nov 19, 2025affected < 0fixed 0
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- CVE-2025-47907Aug 7, 2025affected < 12.0.3-r1fixed 12.0.3-r1
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
- affected < 12.0.1-r3fixed 12.0.1-r3
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
- CVE-2025-48371May 22, 2025affected < 12.0.1-r2fixed 12.0.1-r2
OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Us
- CVE-2025-46331Apr 30, 2025affected < 12.0.0-r3fixed 12.0.0-r3
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c
- affected < 0fixed 0
kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system
- affected < 0fixed 0
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par
Page 2 of 2