5 matches found
CVE-2026-10601 Path traversal in the Tempo and Loki data source plugins
A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the...
CVE-2026-10601
CVE-2026-10601 affects Grafana Tempo and Loki datasource plugins. The root cause is unsanitized user input interpolated into backend HTTP URL paths, enabling path traversal. A Viewer-role user can (1) retrieve admin-configured datasource credentials via an attacker-controlled endpoint, (2) trigge...
Improper Handling of URL Encoding (Hex Encoding)
Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. An...
PT-2025-34134 · Winterchens · My-Site
Name of the Vulnerable Software and Affected Versions: WinterChenS my-site versions through commit 6c79286 2025-06-11 Description: An authentication bypass allows unauthorized access to the /admin/ API without a token. Recommendations: Versions prior to commit 6c79286 2025-06-11 should be updated...
CVE-2025-50904
There is an authentication bypass vulnerability in WinterChenS my-site thru commit 6c79286 2025-06-11. An attacker can exploit this vulnerability to access /admin/ API without any token...