CVE-2026-42127
- EPSS 0.43%
- Veröffentlicht 22.06.2026 16:31:28
- Zuletzt bearbeitet 30.06.2026 14:49:20
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through m...
CVE-2026-9029
- EPSS 0.27%
- Veröffentlicht 22.06.2026 13:18:40
- Zuletzt bearbeitet 30.06.2026 15:28:25
The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escap...
CVE-2026-10601
- EPSS 0.26%
- Veröffentlicht 22.06.2026 13:18:31
- Zuletzt bearbeitet 30.06.2026 15:40:40
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secu...
CVE-2026-28374
- EPSS 0.2%
- Veröffentlicht 13.05.2026 19:28:40
- Zuletzt bearbeitet 02.06.2026 19:29:02
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
CVE-2026-33378
- EPSS 0.33%
- Veröffentlicht 13.05.2026 19:28:37
- Zuletzt bearbeitet 28.05.2026 19:00:01
Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash th...
CVE-2026-28383
- EPSS 0.33%
- Veröffentlicht 13.05.2026 19:28:36
- Zuletzt bearbeitet 02.06.2026 19:28:54
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of ser...
CVE-2026-33376
- EPSS 0.27%
- Veröffentlicht 13.05.2026 19:28:34
- Zuletzt bearbeitet 02.06.2026 19:28:45
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Ok...
CVE-2026-28380
- EPSS 0.23%
- Veröffentlicht 13.05.2026 19:28:32
- Zuletzt bearbeitet 02.06.2026 19:28:57
Any Editor could delete any snapshot, even if they have no access to read or write them.
CVE-2026-33380
- EPSS 0.26%
- Veröffentlicht 13.05.2026 19:28:32
- Zuletzt bearbeitet 16.06.2026 19:33:18
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
CVE-2026-33381
- EPSS 0.25%
- Veröffentlicht 13.05.2026 19:28:31
- Zuletzt bearbeitet 16.06.2026 19:28:22
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.