Vendor CVEs
Grafana
All CVEs
122 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-15043 | 0.07 | — | 0.63 | Sep 3, 2019 | In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. | |||
| CVE-2023-0507 | 0.05 | — | 0.15 | Mar 1, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and… | |||
| CVE-2022-32275 | 0.05 | — | 0.09 | Jun 6, 2022 | Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd… | |||
| CVE-2021-43813 | 0.05 | — | 0.58 | Dec 10, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files… | |||
| CVE-2022-31097 | 0.04 | — | 0.69 | Jul 15, 2022 | Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability… | |||
| CVE-2022-32276 | 0.04 | — | 0.03 | Jun 17, 2022 | Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability | |||
| CVE-2023-0594 | 0.03 | — | 0.09 | Mar 1, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not… | |||
| CVE-2024-9264 | 0.01 | — | 0.98 | Oct 18, 2024 | The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user… | |||
| CVE-2021-28148 | 0.01 | — | 0.04 | Mar 22, 2021 | One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a… | |||
| CVE-2018-19039 | 0.01 | — | 0.07 | Dec 13, 2018 | Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions. | |||
| CVE-2026-42127 | 0.00 | — | 0.00 | Jun 22, 2026 | The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid… | |||
| CVE-2026-28381 | 0.00 | — | 0.00 | Jun 22, 2026 | The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host. | |||
| CVE-2026-9029 | 0.00 | — | 0.00 | Jun 22, 2026 | The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to… | |||
| CVE-2026-10601 | 0.00 | — | 0.00 | Jun 22, 2026 | The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by… | |||
| CVE-2026-42129 | 0.00 | — | 0.00 | Jun 22, 2026 | The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend… | |||
| CVE-2026-27878 | 0.00 | — | 0.00 | Jun 19, 2026 | A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service. | |||
| CVE-2026-32117 | 0.00 | — | 0.00 | Mar 11, 2026 | The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor… | |||
| CVE-2025-41117 | 0.00 | — | 0.00 | Feb 12, 2026 | Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected;… | |||
| CVE-2026-21722 | 0.00 | — | 0.00 | Feb 12, 2026 | Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did… | |||
| CVE-2026-21720 | 0.00 | — | 0.01 | Jan 27, 2026 | Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an… | |||
| CVE-2025-41115 | 0.00 | — | 0.17 | Nov 21, 2025 | SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a… | |||
| CVE-2024-10452 | 0.00 | — | 0.01 | Oct 29, 2024 | Organization admins can delete pending invites created in an organization they are not part of. | |||
| CVE-2024-8975 | 0.00 | — | 0.00 | Sep 25, 2024 | Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1. | |||
| CVE-2024-5526 | 0.00 | — | 0.00 | Jun 5, 2024 | Grafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and interfaces that are tailored specifically for engineers. Grafana OnCall, from version 1.1.37 before 1.5.2 are vulnerable to a Server Side… | |||
| CVE-2023-31634 | 0.00 | — | 0.01 | Mar 27, 2024 | In TeslaMate before 1.27.2, there is unauthorized access to port 4000 for remote viewing and operation of user data. After accessing the IP address for the TeslaMate instance, an attacker can switch the port to 3000 to enter Grafana for remote operations. At that time, the… | |||
| CVE-2024-1442 | 0.00 | — | 0.01 | Mar 7, 2024 | A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization. | |||
| CVE-2023-5122 | 0.00 | — | 0.01 | Feb 14, 2024 | Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured… | |||
| CVE-2023-5123 | 0.00 | — | 0.01 | Feb 14, 2024 | The JSON datasource plugin ( https://grafana.com/grafana/plugins/marcusolsson-json-datasource/ ) is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing JSON data from a remote endpoint (including a specific sub-path) configured by an… | |||
| CVE-2023-6152 | 0.00 | — | 0.01 | Feb 13, 2024 | A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. | |||
| CVE-2023-3010 | 0.00 | — | 0.00 | Oct 25, 2023 | Grafana is an open-source platform for monitoring and observability. The WorldMap panel plugin, versions before 1.0.4 contains a DOM XSS vulnerability. | |||
| CVE-2023-4399 | 0.00 | — | 0.01 | Oct 17, 2023 | Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used… | |||
| CVE-2023-4457 | 0.00 | — | 0.00 | Oct 16, 2023 | Grafana is an open-source platform for monitoring and observability. The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially… | |||
| CVE-2023-4822 | 0.00 | — | 0.01 | Oct 16, 2023 | Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer,… | |||
| CVE-2023-3128 | 0.00 | — | 0.04 | Jun 22, 2023 | Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. | |||
| CVE-2023-2183 | 0.00 | — | 0.01 | Jun 6, 2023 | Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API… | |||
| CVE-2023-2801 | 0.00 | — | 0.01 | Jun 6, 2023 | Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at… | |||
| CVE-2023-1387 | 0.00 | — | 0.01 | Apr 26, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration… | |||
| CVE-2023-1410 | 0.00 | — | 0.01 | Mar 23, 2023 | Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An… | |||
| CVE-2023-22462 | 0.00 | — | 0.02 | Mar 2, 2023 | Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user… | |||
| CVE-2022-23498 | 0.00 | — | 0.01 | Feb 3, 2023 | Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s… | |||
| CVE-2022-23552 | 0.00 | — | 0.01 | Jan 27, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files… | |||
| CVE-2022-39324 | 0.00 | — | 0.01 | Jan 27, 2023 | Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the… | |||
| CVE-2022-44643 | 0.00 | — | 0.00 | Dec 21, 2022 | A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector… | |||
| CVE-2022-46156 | 0.00 | — | 0.00 | Nov 30, 2022 | The Synthetic Monitoring Agent for Grafana's Synthetic Monitoring application provides probe functionality and executes network checks for monitoring remote targets. Users running the Synthetic Monitoring agent prior to version 0.12.0 in their local network are impacted. The… | |||
| CVE-2022-39306 | 0.00 | — | 0.01 | Nov 9, 2022 | Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the… | |||
| CVE-2022-39307 | 0.00 | — | 0.01 | Nov 9, 2022 | Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not… | |||
| CVE-2022-39328 | 0.00 | — | 0.01 | Nov 8, 2022 | Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load.… | |||
| CVE-2022-31130 | 0.00 | — | 0.01 | Oct 13, 2022 | Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy… | |||
| CVE-2022-39201 | 0.00 | — | 0.01 | Oct 13, 2022 | Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints… | |||
| CVE-2022-31123 | 0.00 | — | 0.00 | Oct 13, 2022 | Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though… |
- CVE-2019-15043Sep 3, 2019risk 0.07cvss —epss 0.63
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
- CVE-2023-0507Mar 1, 2023risk 0.05cvss —epss 0.15
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and…
- CVE-2022-32275Jun 6, 2022risk 0.05cvss —epss 0.09
Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd…
- CVE-2021-43813Dec 10, 2021risk 0.05cvss —epss 0.58
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files…
- CVE-2022-31097Jul 15, 2022risk 0.04cvss —epss 0.69
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability…
- CVE-2022-32276Jun 17, 2022risk 0.04cvss —epss 0.03
Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability
- CVE-2023-0594Mar 1, 2023risk 0.03cvss —epss 0.09
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not…
- CVE-2024-9264Oct 18, 2024risk 0.01cvss —epss 0.98
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user…
- CVE-2021-28148Mar 22, 2021risk 0.01cvss —epss 0.04
One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a…
- CVE-2018-19039Dec 13, 2018risk 0.01cvss —epss 0.07
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.
- CVE-2026-42127Jun 22, 2026risk 0.00cvss —epss 0.00
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid…
- CVE-2026-28381Jun 22, 2026risk 0.00cvss —epss 0.00
The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host.
- CVE-2026-9029Jun 22, 2026risk 0.00cvss —epss 0.00
The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to…
- CVE-2026-10601Jun 22, 2026risk 0.00cvss —epss 0.00
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by…
- CVE-2026-42129Jun 22, 2026risk 0.00cvss —epss 0.00
The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend…
- CVE-2026-27878Jun 19, 2026risk 0.00cvss —epss 0.00
A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.
- CVE-2026-32117Mar 11, 2026risk 0.00cvss —epss 0.00
The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor…
- CVE-2025-41117Feb 12, 2026risk 0.00cvss —epss 0.00
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected;…
- CVE-2026-21722Feb 12, 2026risk 0.00cvss —epss 0.00
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did…
- CVE-2026-21720Jan 27, 2026risk 0.00cvss —epss 0.01
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an…
- CVE-2025-41115Nov 21, 2025risk 0.00cvss —epss 0.17
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a…
- CVE-2024-10452Oct 29, 2024risk 0.00cvss —epss 0.01
Organization admins can delete pending invites created in an organization they are not part of.
- CVE-2024-8975Sep 25, 2024risk 0.00cvss —epss 0.00
Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1.
- CVE-2024-5526Jun 5, 2024risk 0.00cvss —epss 0.00
Grafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and interfaces that are tailored specifically for engineers. Grafana OnCall, from version 1.1.37 before 1.5.2 are vulnerable to a Server Side…
- CVE-2023-31634Mar 27, 2024risk 0.00cvss —epss 0.01
In TeslaMate before 1.27.2, there is unauthorized access to port 4000 for remote viewing and operation of user data. After accessing the IP address for the TeslaMate instance, an attacker can switch the port to 3000 to enter Grafana for remote operations. At that time, the…
- CVE-2024-1442Mar 7, 2024risk 0.00cvss —epss 0.01
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
- CVE-2023-5122Feb 14, 2024risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured…
- CVE-2023-5123Feb 14, 2024risk 0.00cvss —epss 0.01
The JSON datasource plugin ( https://grafana.com/grafana/plugins/marcusolsson-json-datasource/ ) is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing JSON data from a remote endpoint (including a specific sub-path) configured by an…
- CVE-2023-6152Feb 13, 2024risk 0.00cvss —epss 0.01
A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.
- CVE-2023-3010Oct 25, 2023risk 0.00cvss —epss 0.00
Grafana is an open-source platform for monitoring and observability. The WorldMap panel plugin, versions before 1.0.4 contains a DOM XSS vulnerability.
- CVE-2023-4399Oct 17, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used…
- CVE-2023-4457Oct 16, 2023risk 0.00cvss —epss 0.00
Grafana is an open-source platform for monitoring and observability. The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially…
- CVE-2023-4822Oct 16, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer,…
- CVE-2023-3128Jun 22, 2023risk 0.00cvss —epss 0.04
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
- CVE-2023-2183Jun 6, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API…
- CVE-2023-2801Jun 6, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at…
- CVE-2023-1387Apr 26, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration…
- CVE-2023-1410Mar 23, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An…
- CVE-2023-22462Mar 2, 2023risk 0.00cvss —epss 0.02
Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user…
- CVE-2022-23498Feb 3, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s…
- CVE-2022-23552Jan 27, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files…
- CVE-2022-39324Jan 27, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the…
- CVE-2022-44643Dec 21, 2022risk 0.00cvss —epss 0.00
A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector…
- CVE-2022-46156Nov 30, 2022risk 0.00cvss —epss 0.00
The Synthetic Monitoring Agent for Grafana's Synthetic Monitoring application provides probe functionality and executes network checks for monitoring remote targets. Users running the Synthetic Monitoring agent prior to version 0.12.0 in their local network are impacted. The…
- CVE-2022-39306Nov 9, 2022risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the…
- CVE-2022-39307Nov 9, 2022risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not…
- CVE-2022-39328Nov 8, 2022risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load.…
- CVE-2022-31130Oct 13, 2022risk 0.00cvss —epss 0.01
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy…
- CVE-2022-39201Oct 13, 2022risk 0.00cvss —epss 0.01
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints…
- CVE-2022-31123Oct 13, 2022risk 0.00cvss —epss 0.00
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though…
Page 2 of 3