VYPR

apk package

chainguard/grafana-12.2

pkg:apk/chainguard/grafana-12.2

Vulnerabilities (43)

  • CVE-2026-21726MedApr 15, 2026
    affected < 12.2.9-r0fixed 12.2.9-r0

    The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerabili

  • CVE-2026-39883HigApr 8, 2026
    affected < 12.2.8.01-r4fixed 12.2.8.01-r4

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-39882MedApr 8, 2026
    affected < 12.2.8.01-r7fixed 12.2.8.01-r7

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e

  • CVE-2026-34972MedApr 6, 2026
    affected < 12.2.8.01-r3fixed 12.2.8.01-r3

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can res

  • CVE-2026-33817Apr 6, 2026
    affected < 0fixed 0

    Rejected reason: CVE confirmed to be a false positive

  • CVE-2026-34986HigApr 6, 2026
    affected < 12.2.8.01-r2fixed 12.2.8.01-r2

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-28375MedMar 27, 2026
    affected < 0fixed 0

    A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

  • CVE-2026-27880HigMar 27, 2026
    affected < 12.2.8.01-r2fixed 12.2.8.01-r2

    The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

  • CVE-2026-27879MedMar 27, 2026
    affected < 0fixed 0

    A resample query can be used to trigger out-of-memory crashes in Grafana.

  • CVE-2026-27877MedMar 27, 2026
    affected < 0fixed 0

    When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos

  • CVE-2026-27876CriMar 27, 2026
    affected < 0fixed 0

    A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only inst

  • CVE-2026-33729CriMar 27, 2026
    affected < 12.2.8-r1fixed 12.2.8-r1

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests produci

  • CVE-2026-32285HigMar 26, 2026
    affected < 12.2.7-r2fixed 12.2.7-r2

    The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

  • CVE-2026-33186CriMar 20, 2026
    affected < 12.2.7-r1fixed 12.2.7-r1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2026-1229Feb 24, 2026
    affected < 12.2.8-r0fixed 12.2.8-r0

    The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://

  • CVE-2026-24851Feb 6, 2026
    affected < 12.2.5-r0fixed 12.2.5-r0

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement

  • CVE-2025-68121CriFeb 5, 2026
    affected < 12.2.5-r0fixed 12.2.5-r0

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-61732Feb 5, 2026
    affected < 12.2.5-r0fixed 12.2.5-r0

    A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

  • CVE-2026-24051HigFeb 2, 2026
    affected < 0fixed 0

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman

  • CVE-2025-61729Dec 2, 2025
    affected < 12.2.2-r1fixed 12.2.2-r1

    Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a