CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

107 matches found

CVE-2026-10601

A flaw was found in the Tempo and Loki datasource plugins. A remote attacker with a Viewer role could exploit a path traversal vulnerability by manipulating user-supplied input in URL paths. This could allow the attacker to capture sensitive administrator-configured datasource credentials, invoke...

5.4CVSS5.9AI score

Exploits0References4

NVD•added yesterday•7 views

CVE-2026-42129

The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints e.g. /config, /services, /ready to extract sensitive backend configuration and internal...

7.7CVSS

Exploits0References1

NVD•added yesterday•8 views

CVE-2026-10601

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: 1 capture admin-configured datasource credentials secureJsonData custom headers by traversing to an...

5.4CVSS

Exploits0References1

Cvelist•added yesterday•27 views

CVE-2026-10601 Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access

5.4CVSS

Exploits0References1

AlpineLinux•added yesterday•4 views

CVE-2026-10601

5.4CVSS5.9AI score

Exploits0

CVE•added yesterday•40 views

CVE-2026-10601

CVE-2026-10601 affects Grafana Tempo and Loki datasource plugins. The root cause is unsanitized user input interpolated into backend HTTP URL paths, enabling path traversal. A Viewer-role user can (1) retrieve admin-configured datasource credentials via an attacker-controlled endpoint, (2) trigge...

5.4CVSS5.9AI score

Exploits0References1

CVE•added yesterday•15 views

CVE-2026-42129

The CVE describes a path traversal vulnerability in the Loki datasource plugin (callResource handler). An authenticated Viewer-role user can escape the plugin’s resource sandbox and reach administrative Loki endpoints (for example, /config, /services, /ready) to exfiltrate sensitive backend confi...

7.7CVSS5.9AI score

Exploits0References1

Cvelist•added yesterday•28 views

CVE-2026-42129 Path Traversal in Loki Datasource leads to Internal Information Disclosure

7.7CVSS

Exploits0References1

EUVD•added yesterday•6 views

EUVD-2026-38241

7.7CVSS5.9AI score

Exploits0References1

AlpineLinux•added yesterday•5 views

CVE-2026-42129

7.7CVSS5.9AI score

Exploits0

Wolfi•added 4 days ago•10 views

GHSA-CP6G-7HQX-QXHP vulnerabilities

Vulnerabilities for packages: ksops, terraform-provider-pagerduty, thanos, grafana, promxy, loki, grafana-pyroscope, grafana-agent-operator, argo-cd, kubescape-operator, hubble, ratify, cortex, cilium, splunk-otel-collector, slsa-verifier, bento, external-secrets-operator, tekton-chains,...

5.8AI score

Exploits0

Wolfi•added 4 days ago•15 views

CVE-2026-2303 vulnerabilities

6.9CVSS5.8AI score0.00223EPSS

Exploits0

RedhatCVE•added 2026/04/17 1:0 p.m.•7 views

CVE-2026-21726

A flaw was found in Loki. A remote attacker can exploit a path traversal vulnerability by using double encoding on the namespace parameter after a single URL decode. This allows the attacker to read arbitrary files at the Ruler API endpoint, leading to information disclosure...

5.3CVSS5.9AI score0.00409EPSS

Exploits0References4

SUSE CVE•added 2026/04/17 12:3 p.m.•6 views

SUSE CVE-2026-21726

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

5.3CVSS5.7AI score0.00409EPSS

Exploits0References3

EUVD•added 2026/04/15 9:30 p.m.•6 views

EUVD-2026-23100

5.3CVSS6AI score0.01449EPSS

Exploits0References2