Lucene search
K

4849 matches found

Nuclei
Nuclei
added yesterday25 views

Grafana - Exposes DingDing API Keys

An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight in versions below or equals to 12.0.1. id: CVE-2025-3415 info: name: Grafana - Exposes DingDing API Keys author: lucasribolli severity: medium description: | An inciden...

4.3CVSS6.2AI score0.0089EPSS
Exploits0References1
Nuclei
Nuclei
added 2 days ago72 views

Grafana - XSS / Open Redirect / SSRF via Client Path Traversal

An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeover. id: CVE-2025-41...

7.6CVSS7.3AI score0.97809EPSS
Exploits6References2
Nuclei
Nuclei
added 2 days ago77 views

Grafana <= 6.7.1 - Cross-Site Scripting

Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot...

5.4CVSS6.6AI score0.09619EPSS
Exploits0References5
Nuclei
Nuclei
added 3 days ago77 views

Grafana & Zabbix Integration - Credentials Disclosure

Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the apijsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search...

9.8CVSS7.2AI score0.53439EPSS
Exploits1References5
Nuclei
Nuclei
added 3 days ago78 views

Grafana v8.x - Arbitrary File Read

Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is /public/plugins/NAME/, where NAME is the plugin ID for any installed plugin. id: CVE-2021-43798 info: name: Grafana v8.x - Arbitrary File Read autho...

7.5CVSS7.4AI score0.88849EPSS
Exploits44References5
Nuclei
Nuclei
added 3 days ago30 views

Grafana - Improper Access Control

Grafana 2.x through 6.x before 6.3.4 is susceptible to improper access control. An attacker can delete and create arbitrary snapshots, leading to denial of service. id: CVE-2019-15043 info: name: Grafana - Improper Access Control author: Joshua Rogers severity: high description: | Grafana 2.x...

7.5CVSS6.8AI score0.63388EPSS
Exploits1References6
Wolfi
Wolfi
added 3 days ago11 views

CVE-2026-55689 vulnerabilities

Vulnerabilities for packages: grafana...

5.8AI score
Exploits0
Wolfi
Wolfi
added 3 days ago7 views

GHSA-HCXC-WF8J-23HV vulnerabilities

Vulnerabilities for packages: grafana...

5.8AI score
Exploits0
Nuclei
Nuclei
added 5 days ago48 views

Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting

Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the...

6.9CVSS6.9AI score0.84607EPSS
Exploits0References5
OSV
OSV
added 5 days ago4 views

BIT-GRAFANA-2026-42127 Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...

7.5CVSS5.8AI score0.00432EPSS
Exploits0References2
OSV
OSV
added 6 days ago3 views

GO-2026-5708 Grafana: Users can generate Service Account tokens after permissions removal in github.com/grafana/grafana

Grafana: Users can generate Service Account tokens after permissions removal in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

8.1CVSS5.9AI score0.00245EPSS
Exploits0References4
OSV
OSV
added 6 days ago4 views

GO-2026-5528 Grafana Tempo has an Uncontrolled Resource Consumption issue in github.com/grafana/tempo

Grafana Tempo has an Uncontrolled Resource Consumption issue in github.com/grafana/tempo. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability...

7.5CVSS5.8AI score0.00645EPSS
Exploits0References7
OSV
OSV
added 6 days ago4 views

GO-2026-5501 Pyroscope Exposes Storage Secret in github.com/grafana/pyroscope

Pyroscope Exposes Storage Secret in github.com/grafana/pyroscope...

9.1CVSS5.8AI score0.00406EPSS
Exploits0References3
OSV
OSV
added 6 days ago5 views

GO-2026-5409 Grafana: SQL Expressions Read File From Disk in github.com/grafana/grafana

Grafana: SQL Expressions Read File From Disk in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please...

6.5CVSS5.9AI score0.00262EPSS
Exploits0References4
OSV
OSV
added 6 days ago3 views

GO-2026-5355 Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName in github.com/grafana/grafana-operator

Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName in github.com/grafana/grafana-operator...

8.8CVSS5.8AI score0.0032EPSS
Exploits0References3
OSV
OSV
added 6 days ago3 views

GO-2026-5219 Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions in github.com/grafana/grafana

Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this...

5.4CVSS5.8AI score0.00238EPSS
Exploits0References5
OSV
OSV
added 6 days ago3 views

GO-2026-5095 Grafana public dashboards disclose all direct mode datasources in github.com/grafana/grafana

Grafana public dashboards disclose all direct mode datasources in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability...

7.5CVSS5.8AI score0.00309EPSS
Exploits0References3
Nuclei
Nuclei
added 6 days ago52 views

Grafana Unauthenticated Snapshot Creation

Grafana 6.7.3 through 7.4.1 snapshot functionality can allow an unauthenticated remote attacker to trigger a Denial of Service via a remote API call if a commonly used configuration is set. id: CVE-2021-27358 info: name: Grafana Unauthenticated Snapshot Creation author: pdteam,bing0o severity: hi...

7.5CVSS7.2AI score0.83042EPSS
Exploits0References5
Nuclei
Nuclei
added 6 days ago32 views

Grafana Post-Auth DuckDB - SQL Injection To File Read

The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or highe...

9.9CVSS6.6AI score0.97781EPSS
Exploits10References3
Nuclei
Nuclei
added 6 days ago51 views

Grafana Snapshot - Authentication Bypass

Grafana instances up to 7.5.11 and 8.1.5 allow remote unauthenticated users to view the snapshot associated with the lowest database key by accessing the literal paths /api/snapshot/:key or /dashboard/snapshot/:key. If the snapshot is in public mode, unauthenticated users can delete snapshots by...

9.8CVSS6.9AI score0.99888EPSS
Exploits1References5
Rows per page
Query Builder