Vendor CVEs
Grafana
All CVEs
122 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-11539 | Cri | 0.57 | 9.9 | 0.01 | Oct 9, 2025 | Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary… | ||
| CVE-2026-21721 | Hig | 0.53 | 8.1 | 0.00 | Jan 27, 2026 | The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an… | ||
| CVE-2025-4123 | Hig | 0.53 | 7.6 | 0.94 | May 22, 2025 | A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not… | ||
| CVE-2025-41118 | Cri | 0.52 | 9.1 | 0.00 | Apr 15, 2026 | Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key… | ||
| CVE-2026-27876 | Cri | 0.52 | 9.1 | 0.02 | Mar 27, 2026 | A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only… | ||
| CVE-2024-8986 | Cri | 0.52 | — | 0.01 | Sep 19, 2024 | The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for… | ||
| CVE-2026-33376 | Hig | 0.48 | 7.4 | 0.00 | May 13, 2026 | When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are… | ||
| CVE-2025-3260 | Hig | 0.47 | 8.3 | 0.00 | Jun 2, 2025 | A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders… | ||
| CVE-2026-33377 | Hig | 0.46 | 7.1 | 0.00 | May 13, 2026 | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege. | ||
| CVE-2025-6023 | Hig | 0.45 | 7.6 | 0.38 | Jul 18, 2025 | An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions… | ||
| CVE-2025-2703 | Med | 0.44 | 6.8 | 0.11 | Apr 23, 2025 | The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. | ||
| CVE-2026-33378 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server. | ||
| CVE-2026-28383 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service. | ||
| CVE-2026-28380 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | Any Editor could delete any snapshot, even if they have no access to read or write them. | ||
| CVE-2026-28379 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server. | ||
| CVE-2026-28376 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue. | ||
| CVE-2026-27880 | Hig | 0.42 | 7.5 | 0.01 | Mar 27, 2026 | The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. | ||
| CVE-2026-28377 | Hig | 0.42 | 7.5 | 0.00 | Mar 26, 2026 | A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this… | ||
| CVE-2024-1313 | Med | 0.42 | 6.5 | 0.01 | Mar 26, 2024 | It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the… | ||
| CVE-2025-3580 | Med | 0.36 | 5.5 | 0.00 | May 23, 2025 | An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An… | ||
| CVE-2026-11769 | Med | 0.35 | — | 0.00 | Jun 13, 2026 | We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. ### Summary The Grafana Operator supports loading dashboards & library panels… | ||
| CVE-2025-12141 | Med | 0.35 | 6.5 | 0.00 | Apr 15, 2026 | In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic… | ||
| CVE-2026-28375 | Med | 0.35 | 6.5 | 0.00 | Mar 27, 2026 | A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | ||
| CVE-2026-27879 | Med | 0.35 | 6.5 | 0.00 | Mar 27, 2026 | A resample query can be used to trigger out-of-memory crashes in Grafana. | ||
| CVE-2026-27877 | Med | 0.35 | 6.5 | 0.00 | Mar 27, 2026 | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as… | ||
| CVE-2026-33375 | Med | 0.35 | 6.5 | 0.00 | Mar 26, 2026 | The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container. | ||
| CVE-2026-33380 | Med | 0.34 | 6.3 | 0.00 | May 13, 2026 | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable. | ||
| CVE-2024-9476 | Med | 0.33 | — | 0.00 | Nov 13, 2024 | A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who… | ||
| CVE-2024-8118 | Med | 0.33 | — | 0.01 | Sep 26, 2024 | In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules. | ||
| CVE-2026-33381 | Med | 0.31 | 5.9 | 0.00 | May 13, 2026 | When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this. | ||
| CVE-2026-28374 | Med | 0.28 | 4.3 | 0.00 | May 13, 2026 | Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations. | ||
| CVE-2026-21724 | Med | 0.28 | 5.4 | 0.00 | Mar 26, 2026 | A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission. | ||
| CVE-2024-6322 | Med | 0.28 | 5.4 | 0.00 | Aug 20, 2024 | Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must… | ||
| CVE-2026-21726 | Med | 0.27 | 5.3 | 0.00 | Apr 15, 2026 | The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this… | ||
| CVE-2025-6197 | Med | 0.27 | 4.2 | 0.04 | Jul 18, 2025 | An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL | ||
| CVE-2025-8341 | Med | 0.26 | 5.0 | 0.00 | Aug 4, 2025 | Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints. If the plugin was configured to allow only certain URLs, an attacker could… | ||
| CVE-2025-3454 | Med | 0.26 | 5.0 | 0.00 | Jun 2, 2025 | This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. … | ||
| CVE-2025-10630 | Med | 0.21 | 4.3 | 0.00 | Sep 19, 2025 | Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. Versions 5.2.1 and below contained a ReDoS… | ||
| CVE-2025-3415 | Med | 0.21 | 4.3 | 0.01 | Jul 17, 2025 | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01,… | ||
| CVE-2025-2842 | Med | 0.21 | 4.3 | 0.00 | Apr 2, 2025 | A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view… | ||
| CVE-2025-2786 | Med | 0.21 | 4.3 | 0.00 | Apr 2, 2025 | A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to… | ||
| CVE-2024-11741 | Med | 0.21 | 4.3 | 0.00 | Jan 31, 2025 | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15 | ||
| CVE-2026-21725 | Low | 0.17 | 2.6 | 0.00 | Feb 25, 2026 | A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior… | ||
| CVE-2021-43798 | 0.15 | — | 0.89 | KEV | Dec 7, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`,… | ||
| CVE-2026-21727 | Low | 0.14 | 3.3 | 0.00 | Apr 15, 2026 | --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score:… | ||
| CVE-2025-41116 | Low | 0.14 | — | 0.00 | Nov 11, 2025 | When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information… | ||
| CVE-2025-3717 | Low | 0.14 | — | 0.00 | Nov 11, 2025 | When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information… | ||
| CVE-2021-39226 | 0.13 | — | 1.00 | KEV | Oct 5, 2021 | Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot… | ||
| CVE-2025-1088 | Low | 0.11 | 2.7 | 0.00 | Jun 18, 2025 | In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. | ||
| CVE-2022-26148 | 0.07 | — | 0.53 | Mar 21, 2022 | An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search… |
- risk 0.57cvss 9.9epss 0.01
Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary…
- risk 0.53cvss 8.1epss 0.00
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an…
- risk 0.53cvss 7.6epss 0.94
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not…
- risk 0.52cvss 9.1epss 0.00
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key…
- risk 0.52cvss 9.1epss 0.02
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only…
- risk 0.52cvss —epss 0.01
The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for…
- risk 0.48cvss 7.4epss 0.00
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are…
- risk 0.47cvss 8.3epss 0.00
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders…
- risk 0.46cvss 7.1epss 0.00
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
- risk 0.45cvss 7.6epss 0.38
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions…
- risk 0.44cvss 6.8epss 0.11
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
- risk 0.42cvss 6.5epss 0.00
Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.
- risk 0.42cvss 6.5epss 0.00
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
- risk 0.42cvss 6.5epss 0.00
Any Editor could delete any snapshot, even if they have no access to read or write them.
- risk 0.42cvss 6.5epss 0.00
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
- risk 0.42cvss 6.5epss 0.00
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
- risk 0.42cvss 7.5epss 0.01
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
- risk 0.42cvss 7.5epss 0.00
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this…
- risk 0.42cvss 6.5epss 0.01
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the…
- risk 0.36cvss 5.5epss 0.00
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An…
- risk 0.35cvss —epss 0.00
We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. ### Summary The Grafana Operator supports loading dashboards & library panels…
- risk 0.35cvss 6.5epss 0.00
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic…
- risk 0.35cvss 6.5epss 0.00
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
- risk 0.35cvss 6.5epss 0.00
A resample query can be used to trigger out-of-memory crashes in Grafana.
- risk 0.35cvss 6.5epss 0.00
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as…
- risk 0.35cvss 6.5epss 0.00
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
- risk 0.34cvss 6.3epss 0.00
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
- risk 0.33cvss —epss 0.00
A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who…
- risk 0.33cvss —epss 0.01
In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.
- risk 0.31cvss 5.9epss 0.00
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
- risk 0.28cvss 4.3epss 0.00
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
- risk 0.28cvss 5.4epss 0.00
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
- risk 0.28cvss 5.4epss 0.00
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must…
- risk 0.27cvss 5.3epss 0.00
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this…
- risk 0.27cvss 4.2epss 0.04
An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL
- risk 0.26cvss 5.0epss 0.00
Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints. If the plugin was configured to allow only certain URLs, an attacker could…
- risk 0.26cvss 5.0epss 0.00
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. …
- risk 0.21cvss 4.3epss 0.00
Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. Versions 5.2.1 and below contained a ReDoS…
- risk 0.21cvss 4.3epss 0.01
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01,…
- risk 0.21cvss 4.3epss 0.00
A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view…
- risk 0.21cvss 4.3epss 0.00
A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to…
- risk 0.21cvss 4.3epss 0.00
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15
- risk 0.17cvss 2.6epss 0.00
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior…
- risk 0.15cvss —epss 0.89
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`,…
- risk 0.14cvss 3.3epss 0.00
--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score:…
- risk 0.14cvss —epss 0.00
When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information…
- risk 0.14cvss —epss 0.00
When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information…
- risk 0.13cvss —epss 1.00
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot…
- risk 0.11cvss 2.7epss 0.00
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.
- CVE-2022-26148Mar 21, 2022risk 0.07cvss —epss 0.53
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search…
Page 1 of 3