VYPR

Grafana

by Grafana

Source repositories

CVEs (86)

  • CVE-2026-33380MedMay 13, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

  • CVE-2024-9476MedNov 13, 2024
    risk 0.33cvss epss 0.00

    A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who…

  • CVE-2024-8118MedSep 26, 2024
    risk 0.33cvss epss 0.01

    In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.

  • CVE-2026-33381MedMay 13, 2026
    risk 0.31cvss 5.9epss 0.00

    When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.

  • CVE-2026-28374MedMay 13, 2026
    risk 0.28cvss 4.3epss 0.00

    Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

  • CVE-2026-21724MedMar 26, 2026
    risk 0.28cvss 5.4epss 0.00

    A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

  • CVE-2024-6322MedAug 20, 2024
    risk 0.28cvss 5.4epss 0.00

    Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must…

  • CVE-2025-6197MedJul 18, 2025
    risk 0.27cvss 4.2epss 0.04

    An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL

  • CVE-2025-3454MedJun 2, 2025
    risk 0.26cvss 5.0epss 0.00

    This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. …

  • CVE-2025-3415MedJul 17, 2025
    risk 0.21cvss 4.3epss 0.01

    Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01,…

  • CVE-2024-11741MedJan 31, 2025
    risk 0.21cvss 4.3epss 0.00

    Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3,  11.2.6, 11.1.11, 11.0.11 and 10.4.15

  • CVE-2026-21725LowFeb 25, 2026
    risk 0.17cvss 2.6epss 0.00

    A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior…

  • CVE-2021-43798KEVDec 7, 2021
    risk 0.15cvss epss 0.89

    Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`,…

  • CVE-2026-21727LowApr 15, 2026
    risk 0.14cvss 3.3epss 0.00

    --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score:…

  • CVE-2021-39226KEVOct 5, 2021
    risk 0.13cvss epss 1.00

    Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot…

  • CVE-2025-1088LowJun 18, 2025
    risk 0.11cvss 2.7epss 0.00

    In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.

  • CVE-2022-26148Mar 21, 2022
    risk 0.07cvss epss 0.53

    An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search…

  • CVE-2019-15043Sep 3, 2019
    risk 0.07cvss epss 0.63

    In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

  • CVE-2023-0507Mar 1, 2023
    risk 0.05cvss epss 0.15

    Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and…

  • CVE-2022-32275Jun 6, 2022
    risk 0.05cvss epss 0.09

    Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd…

Page 2 of 5