VYPR
Vendor

Grafana

Products
28
CVEs
122
Across products
142
Status
Private

Products

28

Recent CVEs

122
View all 122 CVEs →
  • CVE-2025-11539CriOct 9, 2025
    risk 0.57cvss 9.9epss 0.01

    Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary…

  • CVE-2026-21721HigJan 27, 2026
    risk 0.53cvss 8.1epss 0.00

    The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an…

  • CVE-2025-4123HigMay 22, 2025
    risk 0.53cvss 7.6epss 0.94

    A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not…

  • CVE-2025-41118CriApr 15, 2026
    risk 0.52cvss 9.1epss 0.00

    Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key…

  • CVE-2026-27876CriMar 27, 2026
    risk 0.52cvss 9.1epss 0.02

    A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only…

  • CVE-2024-8986CriSep 19, 2024
    risk 0.52cvss epss 0.01

    The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for…

  • CVE-2026-33376HigMay 13, 2026
    risk 0.48cvss 7.4epss 0.00

    When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are…

  • CVE-2025-3260HigJun 2, 2025
    risk 0.47cvss 8.3epss 0.00

    A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders…

  • CVE-2026-33377HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

  • CVE-2025-6023HigJul 18, 2025
    risk 0.45cvss 7.6epss 0.38

    An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions…

  • CVE-2025-2703MedApr 23, 2025
    risk 0.44cvss 6.8epss 0.11

    The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.

  • CVE-2026-33378MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.

  • CVE-2026-28383MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

  • CVE-2026-28380MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    Any Editor could delete any snapshot, even if they have no access to read or write them.

  • CVE-2026-28379MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

  • CVE-2026-28376MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.

  • CVE-2026-27880HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.01

    The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

  • CVE-2026-28377HigMar 26, 2026
    risk 0.42cvss 7.5epss 0.00

    A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this…

  • CVE-2024-1313MedMar 26, 2024
    risk 0.42cvss 6.5epss 0.01

    It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the…

  • CVE-2025-3580MedMay 23, 2025
    risk 0.36cvss 5.5epss 0.00

    An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An…