VYPR

apk package

wolfi/grafana-12.0

pkg:apk/wolfi/grafana-12.0

Vulnerabilities (38)

  • CVE-2026-27140HigApr 8, 2026
    affected < 12.0.10-r1fixed 12.0.10-r1

    SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

  • CVE-2026-33817Apr 6, 2026
    affected < 12.0.10-r0fixed 12.0.10-r0

    Rejected reason: CVE confirmed to be a false positive

  • CVE-2026-27880HigMar 27, 2026
    affected < 12.0.10-r0fixed 12.0.10-r0

    The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

  • CVE-2026-27142MedMar 6, 2026
    affected < 12.0.10-r1fixed 12.0.10-r1

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap

  • CVE-2026-27139LowMar 6, 2026
    affected < 12.0.10-r1fixed 12.0.10-r1

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary

  • CVE-2026-25679HigMar 6, 2026
    affected < 12.0.10-r1fixed 12.0.10-r1

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2026-21722Feb 12, 2026
    affected < 12.0.10-r0fixed 12.0.10-r0

    Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did n

  • CVE-2025-68121CriFeb 5, 2026
    affected < 12.0.10-r0fixed 12.0.10-r0

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-61732Feb 5, 2026
    affected < 12.0.10-r0fixed 12.0.10-r0

    A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

  • CVE-2025-41115Nov 21, 2025
    affected < 0fixed 0

    SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vuln

  • CVE-2025-47914Nov 19, 2025
    affected < 0fixed 0

    SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

  • CVE-2025-58181Nov 19, 2025
    affected < 0fixed 0

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-47907Aug 7, 2025
    affected < 12.0.3-r1fixed 12.0.3-r1

    Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex

  • CVE-2025-8556LowAug 6, 2025
    affected < 12.0.1-r3fixed 12.0.1-r3

    A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.

  • CVE-2025-48371May 22, 2025
    affected < 12.0.1-r2fixed 12.0.1-r2

    OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Us

  • CVE-2025-46331Apr 30, 2025
    affected < 12.0.0-r3fixed 12.0.0-r3

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c

  • CVE-2025-30153HigMar 19, 2025
    affected < 0fixed 0

    kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system

  • CVE-2025-27144MedFeb 24, 2025
    affected < 0fixed 0

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

Page 2 of 2