Export limit exceeded: 366088 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (141 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28378 | 1 Grafana | 2 Grafana, Grafana Enterprise | 2026-07-13 | 3.1 Low |
| The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers. | ||||
| CVE-2026-33382 | 1 Grafana | 1 Grafana | 2026-07-13 | 7.5 High |
| Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service. | ||||
| CVE-2026-8609 | 1 Grafana | 1 Grafana | 2026-07-13 | 5.3 Medium |
| An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Grafana instance (denial of service). | ||||
| CVE-2026-8595 | 1 Grafana | 1 Grafana | 2026-07-13 | 6.8 Medium |
| A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard (stored cross-site scripting). | ||||
| CVE-2026-21728 | 1 Grafana | 1 Tempo | 2026-07-13 | 7.5 High |
| Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18). Alternatively, automatically restart the service. | ||||
| CVE-2026-10601 | 1 Grafana | 1 Grafana | 2026-07-12 | 5.4 Medium |
| A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the configured backend. | ||||
| CVE-2026-11769 | 1 Grafana | 1 Grafana Operator | 2026-07-10 | 6.4 Medium |
| We have released version 5.24.0 of the Grafana Operator. This patch includes a MEDIUM severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. ### Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod. ### Impact It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager. ### Affected versions All Grafana Operator versions <= 5.23 ### Solutions and mitigations All installations should be upgraded as soon as possible. As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "prevent-jsonnet-dashboards" spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: ["grafana.integreatly.org"] apiVersions: ["v1beta1"] operations: ["CREATE", "UPDATE"] resources: ["grafanadashboards", "grafanalibrarypanels"] validations: - expression: "!has(object.spec.jsonnetLib)" --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "prevent-jsonnet-dashboards-clusterwide" spec: policyName: "prevent-jsonnet-dashboards" validationActions: [Deny] ### Acknowledgement We would like to thank Artem Cherezov for responsibly disclosing the vulnerability. | ||||
| CVE-2026-42129 | 1 Grafana | 2 Grafana, Loki Datasource | 2026-07-10 | 7.7 High |
| A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information. | ||||
| CVE-2026-42127 | 1 Grafana | 2 Grafana, Grafana Enterprise | 2026-07-10 | 7.5 High |
| The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability. | ||||
| CVE-2026-9029 | 1 Grafana | 1 Grafana | 2026-07-10 | 7.3 High |
| A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard (stored cross-site scripting). | ||||
| CVE-2026-28381 | 1 Grafana | 1 Snowflake Datasource | 2026-06-24 | 9.6 Critical |
| The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host. | ||||
| CVE-2026-27878 | 1 Grafana | 2 Enterprise Metrics, Tempo | 2026-06-24 | 6.5 Medium |
| A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service. | ||||
| CVE-2026-33380 | 1 Grafana | 1 Grafana | 2026-06-16 | 6.3 Medium |
| A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable. | ||||
| CVE-2026-33381 | 1 Grafana | 1 Grafana | 2026-06-16 | 5.9 Medium |
| When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this. | ||||
| CVE-2026-28374 | 1 Grafana | 1 Grafana | 2026-06-02 | 4.3 Medium |
| Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations. | ||||
| CVE-2026-28379 | 1 Grafana | 1 Grafana | 2026-06-02 | 6.5 Medium |
| A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server. | ||||
| CVE-2026-28380 | 1 Grafana | 1 Grafana | 2026-06-02 | 6.5 Medium |
| Any Editor could delete any snapshot, even if they have no access to read or write them. | ||||
| CVE-2026-28383 | 1 Grafana | 1 Grafana | 2026-06-02 | 6.5 Medium |
| A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service. | ||||
| CVE-2026-33376 | 1 Grafana | 1 Grafana | 2026-06-02 | 7.4 High |
| When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here. | ||||
| CVE-2026-33377 | 1 Grafana | 1 Grafana | 2026-06-02 | 7.1 High |
| An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege. | ||||