CVE-2026-27880
- EPSS 0.77%
- Veröffentlicht 27.03.2026 14:12:20
- Zuletzt bearbeitet 30.06.2026 03:17:59
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
CVE-2026-27877
- EPSS 0.31%
- Veröffentlicht 27.03.2026 14:02:11
- Zuletzt bearbeitet 30.06.2026 03:17:59
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to prox...
CVE-2026-21724
- EPSS 0.24%
- Veröffentlicht 26.03.2026 20:06:18
- Zuletzt bearbeitet 14.04.2026 01:00:10
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write ...
CVE-2026-33375
- EPSS 0.43%
- Veröffentlicht 26.03.2026 20:05:52
- Zuletzt bearbeitet 31.03.2026 19:01:30
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
- EPSS 0.18%
- Veröffentlicht 25.02.2026 12:35:43
- Zuletzt bearbeitet 10.05.2026 14:16:47
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to ...
CVE-2026-21722
- EPSS 0.33%
- Veröffentlicht 12.02.2026 09:16:08
- Zuletzt bearbeitet 27.02.2026 15:16:27
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the...
CVE-2025-41117
- EPSS 0.26%
- Veröffentlicht 12.02.2026 09:16:07
- Zuletzt bearbeitet 26.02.2026 22:20:42
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP A...
CVE-2026-21720
- EPSS 0.62%
- Veröffentlicht 27.01.2026 09:15:48
- Zuletzt bearbeitet 30.06.2026 03:17:24
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks f...
CVE-2026-21721
- EPSS 0.65%
- Veröffentlicht 27.01.2026 09:15:48
- Zuletzt bearbeitet 30.06.2026 03:17:24
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboard...
CVE-2026-0712
- EPSS 0.05%
- Veröffentlicht 15.01.2026 13:16:04
- Zuletzt bearbeitet 22.01.2026 17:16:30
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.