rpm package
opensuse/grafana&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/grafana&distro=openSUSE%20Tumbleweed
Vulnerabilities (106)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42506 | Med | 6.1 | < 11.6.14+security04-3.1 | 11.6.14+security04-3.1 | May 22, 2026 | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | |
| CVE-2026-39821 | Cri | 9.6 | < 11.6.14+security04-2.1 | 11.6.14+security04-2.1 | May 22, 2026 | The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program | |
| CVE-2026-25680 | Med | 6.5 | < 11.6.14+security04-3.1 | 11.6.14+security04-3.1 | May 22, 2026 | Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. | |
| CVE-2026-33381 | Med | 5.9 | < 11.6.14+security04-1.1 | 11.6.14+security04-1.1 | May 13, 2026 | When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this. | |
| CVE-2026-33380 | Med | 6.3 | < 11.6.14+security04-1.1 | 11.6.14+security04-1.1 | May 13, 2026 | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable. | |
| CVE-2026-33378 | Med | 6.5 | < 11.6.14+security04-1.1 | 11.6.14+security04-1.1 | May 13, 2026 | Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server. | |
| CVE-2026-33377 | Hig | 7.1 | < 11.6.14+security04-1.1 | 11.6.14+security04-1.1 | May 13, 2026 | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege. | |
| CVE-2026-33376 | Hig | 7.4 | < 11.6.14+security04-1.1 | 11.6.14+security04-1.1 | May 13, 2026 | When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffe | |
| CVE-2026-28383 | Med | 6.5 | < 11.6.14+security04-1.1 | 11.6.14+security04-1.1 | May 13, 2026 | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service. | |
| CVE-2026-28380 | Med | 6.5 | < 11.6.14+security04-1.1 | 11.6.14+security04-1.1 | May 13, 2026 | Any Editor could delete any snapshot, even if they have no access to read or write them. | |
| CVE-2026-28379 | Med | 6.5 | < 11.6.14+security04-1.1 | 11.6.14+security04-1.1 | May 13, 2026 | A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server. | |
| CVE-2026-28376 | Med | 6.5 | < 11.6.14+security04-1.1 | 11.6.14+security04-1.1 | May 13, 2026 | The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue. | |
| CVE-2026-28374 | Med | 4.3 | < 11.6.14+security04-1.1 | 11.6.14+security04-1.1 | May 13, 2026 | Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations. | |
| CVE-2026-41607 | Med | 6.5 | < 11.6.14+security04-4.1 | 11.6.14+security04-4.1 | Apr 28, 2026 | Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | |
| CVE-2026-41602 | Hig | 7.5 | < 11.6.14+security01-3.1 | 11.6.14+security01-3.1 | Apr 28, 2026 | Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | |
| CVE-2025-12141 | Med | 6.5 | < 12.4.4-1.1 | 12.4.4-1.1 | Apr 15, 2026 | In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Edito | |
| CVE-2026-34986 | Hig | 7.5 | < 11.6.14+security01-2.1 | 11.6.14+security01-2.1 | Apr 6, 2026 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW | |
| CVE-2026-28375 | Med | 6.5 | < 11.6.14+security01-1.1 | 11.6.14+security01-1.1 | Mar 27, 2026 | A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | |
| CVE-2026-27879 | Med | 6.5 | < 11.6.14+security01-1.1 | 11.6.14+security01-1.1 | Mar 27, 2026 | A resample query can be used to trigger out-of-memory crashes in Grafana. | |
| CVE-2026-27877 | Med | 6.5 | < 11.6.14+security01-1.1 | 11.6.14+security01-1.1 | Mar 27, 2026 | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos |
- affected < 11.6.14+security04-3.1fixed 11.6.14+security04-3.1
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
- affected < 11.6.14+security04-2.1fixed 11.6.14+security04-2.1
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program
- affected < 11.6.14+security04-3.1fixed 11.6.14+security04-3.1
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
- affected < 11.6.14+security04-1.1fixed 11.6.14+security04-1.1
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
- affected < 11.6.14+security04-1.1fixed 11.6.14+security04-1.1
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
- affected < 11.6.14+security04-1.1fixed 11.6.14+security04-1.1
Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.
- affected < 11.6.14+security04-1.1fixed 11.6.14+security04-1.1
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
- affected < 11.6.14+security04-1.1fixed 11.6.14+security04-1.1
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffe
- affected < 11.6.14+security04-1.1fixed 11.6.14+security04-1.1
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
- affected < 11.6.14+security04-1.1fixed 11.6.14+security04-1.1
Any Editor could delete any snapshot, even if they have no access to read or write them.
- affected < 11.6.14+security04-1.1fixed 11.6.14+security04-1.1
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
- affected < 11.6.14+security04-1.1fixed 11.6.14+security04-1.1
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
- affected < 11.6.14+security04-1.1fixed 11.6.14+security04-1.1
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
- affected < 11.6.14+security04-4.1fixed 11.6.14+security04-4.1
Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
- affected < 11.6.14+security01-3.1fixed 11.6.14+security01-3.1
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
- affected < 12.4.4-1.1fixed 12.4.4-1.1
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Edito
- affected < 11.6.14+security01-2.1fixed 11.6.14+security01-2.1
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
- affected < 11.6.14+security01-1.1fixed 11.6.14+security01-1.1
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
- affected < 11.6.14+security01-1.1fixed 11.6.14+security01-1.1
A resample query can be used to trigger out-of-memory crashes in Grafana.
- affected < 11.6.14+security01-1.1fixed 11.6.14+security01-1.1
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos
Page 1 of 6