Grafana
by Grafana
Source repositories
CVEs (86)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-43813 | 0.05 | — | 0.58 | Dec 10, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files… | |||
| CVE-2022-31097 | 0.04 | — | 0.69 | Jul 15, 2022 | Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability… | |||
| CVE-2022-32276 | 0.04 | — | 0.03 | Jun 17, 2022 | Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability | |||
| CVE-2023-0594 | 0.03 | — | 0.09 | Mar 1, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not… | |||
| CVE-2024-9264 | 0.01 | — | 0.98 | Oct 18, 2024 | The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user… | |||
| CVE-2018-19039 | 0.01 | — | 0.07 | Dec 13, 2018 | Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions. | |||
| CVE-2026-42127 | 0.00 | — | 0.00 | Jun 22, 2026 | The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid… | |||
| CVE-2026-9029 | 0.00 | — | 0.00 | Jun 22, 2026 | The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to… | |||
| CVE-2025-41117 | 0.00 | — | 0.00 | Feb 12, 2026 | Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected;… | |||
| CVE-2026-21722 | 0.00 | — | 0.00 | Feb 12, 2026 | Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did… | |||
| CVE-2026-21720 | 0.00 | — | 0.01 | Jan 27, 2026 | Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an… | |||
| CVE-2024-10452 | 0.00 | — | 0.01 | Oct 29, 2024 | Organization admins can delete pending invites created in an organization they are not part of. | |||
| CVE-2023-31634 | 0.00 | — | 0.01 | Mar 27, 2024 | In TeslaMate before 1.27.2, there is unauthorized access to port 4000 for remote viewing and operation of user data. After accessing the IP address for the TeslaMate instance, an attacker can switch the port to 3000 to enter Grafana for remote operations. At that time, the… | |||
| CVE-2024-1442 | 0.00 | — | 0.01 | Mar 7, 2024 | A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization. | |||
| CVE-2023-5122 | 0.00 | — | 0.01 | Feb 14, 2024 | Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured… | |||
| CVE-2023-6152 | 0.00 | — | 0.01 | Feb 13, 2024 | A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. | |||
| CVE-2023-3128 | 0.00 | — | 0.04 | Jun 22, 2023 | Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. | |||
| CVE-2023-2183 | 0.00 | — | 0.01 | Jun 6, 2023 | Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API… | |||
| CVE-2023-2801 | 0.00 | — | 0.01 | Jun 6, 2023 | Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at… | |||
| CVE-2023-1387 | 0.00 | — | 0.01 | Apr 26, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration… |
- CVE-2021-43813Dec 10, 2021risk 0.05cvss —epss 0.58
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files…
- CVE-2022-31097Jul 15, 2022risk 0.04cvss —epss 0.69
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability…
- CVE-2022-32276Jun 17, 2022risk 0.04cvss —epss 0.03
Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability
- CVE-2023-0594Mar 1, 2023risk 0.03cvss —epss 0.09
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not…
- CVE-2024-9264Oct 18, 2024risk 0.01cvss —epss 0.98
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user…
- CVE-2018-19039Dec 13, 2018risk 0.01cvss —epss 0.07
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.
- CVE-2026-42127Jun 22, 2026risk 0.00cvss —epss 0.00
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid…
- CVE-2026-9029Jun 22, 2026risk 0.00cvss —epss 0.00
The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to…
- CVE-2025-41117Feb 12, 2026risk 0.00cvss —epss 0.00
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected;…
- CVE-2026-21722Feb 12, 2026risk 0.00cvss —epss 0.00
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did…
- CVE-2026-21720Jan 27, 2026risk 0.00cvss —epss 0.01
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an…
- CVE-2024-10452Oct 29, 2024risk 0.00cvss —epss 0.01
Organization admins can delete pending invites created in an organization they are not part of.
- CVE-2023-31634Mar 27, 2024risk 0.00cvss —epss 0.01
In TeslaMate before 1.27.2, there is unauthorized access to port 4000 for remote viewing and operation of user data. After accessing the IP address for the TeslaMate instance, an attacker can switch the port to 3000 to enter Grafana for remote operations. At that time, the…
- CVE-2024-1442Mar 7, 2024risk 0.00cvss —epss 0.01
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
- CVE-2023-5122Feb 14, 2024risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured…
- CVE-2023-6152Feb 13, 2024risk 0.00cvss —epss 0.01
A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.
- CVE-2023-3128Jun 22, 2023risk 0.00cvss —epss 0.04
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
- CVE-2023-2183Jun 6, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API…
- CVE-2023-2801Jun 6, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at…
- CVE-2023-1387Apr 26, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration…
Page 3 of 5