rpm package
opensuse/grafana&distro=openSUSE Leap 16.0
pkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2016.0
Vulnerabilities (29)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27877 | Med | 6.5 | < 11.6.14+security04-bp160.1.1 | 11.6.14+security04-bp160.1.1 | Mar 27, 2026 | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos | |
| CVE-2026-27876 | Cri | 9.1 | < 11.6.14+security04-bp160.1.1 | 11.6.14+security04-bp160.1.1 | Mar 27, 2026 | A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only inst | |
| CVE-2026-33375 | Med | 6.5 | < 11.6.14+security04-bp160.1.1 | 11.6.14+security04-bp160.1.1 | Mar 26, 2026 | The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container. | |
| CVE-2026-21724 | Med | 5.4 | < 11.6.14+security04-bp160.1.1 | 11.6.14+security04-bp160.1.1 | Mar 26, 2026 | A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission. | |
| CVE-2026-33186 | Cri | 9.1 | < 11.6.14+security04-bp160.1.1 | 11.6.14+security04-bp160.1.1 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2026-21725 | Low | 2.6 | < 11.6.14+security04-bp160.1.1 | 11.6.14+security04-bp160.1.1 | Feb 25, 2026 | A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior | |
| CVE-2026-26958 | Low | — | < 11.6.14+security04-bp160.1.1 | 11.6.14+security04-bp160.1.1 | Feb 19, 2026 | filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin | |
| CVE-2025-29923 | Low | 3.7 | < 11.6.14+security04-bp160.1.1 | 11.6.14+security04-bp160.1.1 | Mar 20, 2025 | go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit i | |
| CVE-2025-30153 | Hig | 7.5 | < 11.6.14+security04-bp160.1.1 | 11.6.14+security04-bp160.1.1 | Mar 19, 2025 | kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system |
- affected < 11.6.14+security04-bp160.1.1fixed 11.6.14+security04-bp160.1.1
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos
- affected < 11.6.14+security04-bp160.1.1fixed 11.6.14+security04-bp160.1.1
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only inst
- affected < 11.6.14+security04-bp160.1.1fixed 11.6.14+security04-bp160.1.1
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
- affected < 11.6.14+security04-bp160.1.1fixed 11.6.14+security04-bp160.1.1
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
- affected < 11.6.14+security04-bp160.1.1fixed 11.6.14+security04-bp160.1.1
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- affected < 11.6.14+security04-bp160.1.1fixed 11.6.14+security04-bp160.1.1
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior
- affected < 11.6.14+security04-bp160.1.1fixed 11.6.14+security04-bp160.1.1
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin
- affected < 11.6.14+security04-bp160.1.1fixed 11.6.14+security04-bp160.1.1
go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit i
- affected < 11.6.14+security04-bp160.1.1fixed 11.6.14+security04-bp160.1.1
kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system
Page 2 of 2