Grafana & Zabbix Integration - Credentials Disclosure

Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the apijsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search...

Grafana - XSS / Open Redirect / SSRF via Client Path Traversal

An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeover. id: CVE-2025-41...

Grafana - Exposes DingDing API Keys

An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight in versions below or equals to 12.0.1. id: CVE-2025-3415 info: name: Grafana - Exposes DingDing API Keys author: lucasribolli severity: medium description: | An inciden...

Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting

Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the...

Grafana - Improper Access Control

Grafana 2.x through 6.x before 6.3.4 is susceptible to improper access control. An attacker can delete and create arbitrary snapshots, leading to denial of service. id: CVE-2019-15043 info: name: Grafana - Improper Access Control author: Joshua Rogers severity: high description: | Grafana 2.x...

Grafana <= 6.7.1 - Cross-Site Scripting

Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot...

grafana-11.6.14+security04-1.1 on GA media (moderate)

grafana-11.6.14+security04-1.1 on GA media Announcement ID: openSUSE-SU-2026:10932-1 Rating: moderate Cross-References: CVE-2026-28374 CVE-2026-28376 CVE-2026-28379 CVE-2026-28380 CVE-2026-28383 CVE-2026-33376 CVE-2026-33377 CVE-2026-33378 CVE-2026-33380 CVE-2026-33381 CVSS scores: CVE-2026-28374...

grafana-11.6.14+security01-4.1 on GA media (moderate)

grafana-11.6.14+security01-4.1 on GA media Announcement ID: openSUSE-SU-2026:10922-1 Rating: moderate Cross-References: CVE-2025-30153 CVSS scores: CVE-2025-30153 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Tumbleweed An update that solves one vulnerability...

ROS-20260605-73-0046

The vulnerability in Grafana relates to the unencrypted storage of user data. Exploiting this vulnerability can allow an attacker to gain unauthorized access to protected information...

ROS-20260605-73-0047

The vulnerability in Grafana is related to reading beyond the buffer in memory. Exploiting this vulnerability can allow an attacker to cause a service failure...

ROS-20260605-73-0001

The vulnerability of the Grafana monitoring and observation platform is related to the disclosure of information. Exploiting this vulnerability can allow a malicious actor, operating remotely, to gain unauthorized access to protected information...

GHSA-W2Q5-6Q6X-X959 vulnerabilities

Vulnerabilities for packages: amass, container-object-storage-interface, kube-arangodb, local-path-provisioner, cortex, minio-object-browser, apko, knative-serving, grafana, minio-operator, newrelic-nri-statsd, knative-client, linkerd2, cue, terraform-provider-azapi, vault-k8s, temporal-ui-server...

CVE-2026-39821 vulnerabilities

Vulnerabilities for packages: amass, container-object-storage-interface, kube-arangodb, local-path-provisioner, cortex, minio-object-browser, apko, knative-serving, grafana, minio-operator, newrelic-nri-statsd, knative-client, linkerd2, cue, terraform-provider-azapi, vault-k8s, temporal-ui-server...

GHSA-W2Q5-6Q6X-X959 vulnerabilities

Vulnerabilities for packages: istio-fips, dragonfly-operator-fips, seaweedfs-operator-fips, longhorn-instance-manager-fips, kyverno-policy-reporter-plugins-trivy, kube-oidc-proxy, kserve-localmodelnode-agent, cloud-sql-proxy, gatus-fips, velero-fips, kubernetes-csi-external-health-monitor,...

PT-2026-46848

Summary The hidden nhost configserver used by nhost dev exposes the Mimir GraphQL API with dummy authorization directives and permissive CORS. When a developer is running the local development environment, any process that can reach the developer's localhost service, including a web page loaded...

SUSE-SU-2026:2258-1 Security update for grafana

This update for grafana to version to 11.6.14+security01 fixes the following issues: - Security Fixes: - CVE-2026-34986: Fixed unrecoverable error in JWE decryption that could lead to a denial of service bsc1262950 - CVE-2026-41602: Fixed Integer Overflow or Wraparound vulnerability in Apache...

Security update for grafana

This update for grafana to version to 11.6.14+security01 fixes the following issues: Security Fixes: CVE-2026-34986: Fixed unrecoverable error in JWE decryption that could lead to a denial of service bsc1262950 CVE-2026-41602: Fixed Integer Overflow or Wraparound vulnerability in Apache Thrift...

RockyLinux 10 : grafana (RLSA-2026:19134)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19134 advisory. grafana: Grafana: Information disclosure of data-source passwords via public dashboards CVE-2026-27877 golang: internal/syscall/unix: Root.Chmod can...

Exploit for Path Traversal in Grafana

CVE-2021-43798 - Grafana Arbitrary File Read Python toolkit f...

Grafana Unauthenticated Snapshot Creation

Grafana 6.7.3 through 7.4.1 snapshot functionality can allow an unauthenticated remote attacker to trigger a Denial of Service via a remote API call if a commonly used configuration is set. id: CVE-2021-27358 info: name: Grafana Unauthenticated Snapshot Creation author: pdteam,bing0o severity: hi...