CVE-2026-33377
- EPSS 0.23%
- Veröffentlicht 13.05.2026 19:28:28
- Zuletzt bearbeitet 02.06.2026 19:28:40
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
CVE-2026-28376
- EPSS 0.33%
- Veröffentlicht 13.05.2026 19:28:26
- Zuletzt bearbeitet 18.05.2026 14:57:04
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger ...
CVE-2026-28379
- EPSS 0.26%
- Veröffentlicht 13.05.2026 19:28:25
- Zuletzt bearbeitet 02.06.2026 19:28:59
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafan...
CVE-2026-21727
- EPSS 0.2%
- Veröffentlicht 15.04.2026 18:57:25
- Zuletzt bearbeitet 20.04.2026 20:08:04
--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cv...
CVE-2025-12141
- EPSS 0.26%
- Veröffentlicht 15.04.2026 14:59:41
- Zuletzt bearbeitet 20.04.2026 20:16:40
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which i...
CVE-2026-27879
- EPSS 0.38%
- Veröffentlicht 27.03.2026 14:28:56
- Zuletzt bearbeitet 31.03.2026 18:56:31
A resample query can be used to trigger out-of-memory crashes in Grafana.
CVE-2026-28375
- EPSS 0.38%
- Veröffentlicht 27.03.2026 14:26:19
- Zuletzt bearbeitet 31.03.2026 18:15:45
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
CVE-2026-27876
- EPSS 1.93%
- Veröffentlicht 27.03.2026 14:24:36
- Zuletzt bearbeitet 27.06.2026 05:16:43
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vecto...
CVE-2026-27880
- EPSS 0.77%
- Veröffentlicht 27.03.2026 14:12:20
- Zuletzt bearbeitet 30.06.2026 03:17:59
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
CVE-2026-27877
- EPSS 0.31%
- Veröffentlicht 27.03.2026 14:02:11
- Zuletzt bearbeitet 30.06.2026 03:17:59
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to prox...