VYPR

apk package

chainguard/grafana-fips-12.2

pkg:apk/chainguard/grafana-fips-12.2

Vulnerabilities (112)

  • CVE-2026-27879MedMar 27, 2026
    affected < 12.2.8.01-r0fixed 12.2.8.01-r0

    A resample query can be used to trigger out-of-memory crashes in Grafana.

  • CVE-2026-27877MedMar 27, 2026
    affected < 12.2.8.01-r0fixed 12.2.8.01-r0

    When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos

  • CVE-2026-27876CriMar 27, 2026
    affected < 12.2.8.01-r0fixed 12.2.8.01-r0

    A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only inst

  • CVE-2026-33729CriMar 27, 2026
    affected < 12.2.7-r3fixed 12.2.7-r3

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests produci

  • CVE-2026-28377HigMar 26, 2026
    affected < 12.2.8.01-r3fixed 12.2.8.01-r3

    A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability

  • CVE-2026-33375MedMar 26, 2026
    affected < 12.2.8.01-r0fixed 12.2.8.01-r0

    The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

  • CVE-2026-21724MedMar 26, 2026
    affected < 12.2.8.01-r0fixed 12.2.8.01-r0

    A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

  • CVE-2026-32285HigMar 26, 2026
    affected < 12.2.7-r2fixed 12.2.7-r2

    The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

  • CVE-2026-33186CriMar 20, 2026
    affected < 12.2.7-r2fixed 12.2.7-r2

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2026-1229Feb 24, 2026
    affected < 12.2.8.01-r0fixed 12.2.8.01-r0

    The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://

  • CVE-2026-2303MedFeb 10, 2026
    affected < 12.2.9-r2fixed 12.2.9-r2

    The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI b

  • CVE-2026-24851Feb 6, 2026
    affected < 12.2.5-r0fixed 12.2.5-r0

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement

  • CVE-2025-68121CriFeb 5, 2026
    affected < 12.2.4.01-r0fixed 12.2.4.01-r0

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-61732Feb 5, 2026
    affected < 12.2.4.01-r0fixed 12.2.4.01-r0

    A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

  • CVE-2026-24051HigFeb 2, 2026
    affected < 0fixed 0

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman

  • CVE-2025-41115Nov 21, 2025
    affected < 0fixed 0

    SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vuln

  • CVE-2025-64751Nov 21, 2025
    affected < 12.2.4-r0fixed 12.2.4-r0

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcemen

  • CVE-2025-47914Nov 19, 2025
    affected < 0fixed 0

    SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

  • CVE-2025-58181Nov 19, 2025
    affected < 0fixed 0

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-6023HigJul 18, 2025
    affected < 0fixed 0

    An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+sec

Page 4 of 6