EUVD-2026-32595

Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as...

CVE-2026-46427 Budibase: Snowflake private key returned unmasked from datasource API to BASIC users

Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as...

grafana-pcp security and enhancement update

An update is available for grafana-pcp. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The Grafana plugin for Performance Co-Pilot includes datasources for...

grafana-pcp security update

An update is available for grafana-pcp. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The Grafana plugin for Performance Co-Pilot includes datasources for...

PT-2026-41398

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.1 Description Budibase contains a route-level authorization misconfiguration where the endpoint "PUT /api/datasources/:datasourceId" is incorrectly assigned to the authorizedRoutes group with TABLE/READ...

CVE-2026-33378

CVE-2026-33378 concerns Grafana’s Data Source Plugin. The vulnerability arises from the __timeGroup macro when used with a SQL datasource, allowing an attacker to trigger a DoS by causing an OOM on the server. The attack requires no user interaction and has network access with low privileges. If ...

Important: Red Hat Security Advisory: grafana-pcp security update

An update for grafana-pcp is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is availabl...

CVE-2025-41117 XSS in Grafana Explore stack trace

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo ...

Grafana -- XSS in Grafana Explore stack trace

https://grafana.com/security/security-advisories/cve-2025-41117 reports: Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasourc...

CVE-2026-0713

A security vulnerability in the /apis/dashboard.grafana.app/ endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions v0alpha1, v1alpha1, v2alpha1. Impact: - Viewers can view all dashboards/folders regardless of permissions -...

CVE-2026-0713

The Red Hat/CIRCL/EUVD/PTSecurity entries confirm a security issue in Grafana’s API at /apis/dashboard.grafana.app/* affecting all API versions (v0alpha1, v1alpha1, v2alpha1). Root cause: authenticated users can bypass dashboard and folder permissions, allowing Viewer role to access all dashboard...

CVE-2026-0713

...

PT-2026-3008

Name of the Vulnerable Software and Affected Versions Grafana affected versions not specified Description A flaw exists in Grafana’s datasource proxy API that permits bypassing authorization checks. This is achieved by including an additional slash character within the URL path. Users with limite...

PT-2026-2986

Name of the Vulnerable Software and Affected Versions Grafana affected versions not specified Description A security issue exists in the /apis/dashboard.grafana.app/ API endpoints, allowing authenticated users to bypass dashboard and folder permissions. This affects all API versions v0alpha1,...

Linux Distros Unpatched Vulnerability : CVE-2025-3454

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with...

Linux Distros Unpatched Vulnerability : CVE-2025-3260

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A security vulnerability in the /apis/dashboard.grafana.app/ endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability...

GHSA-MHPQ-M962-MG92 Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access

Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasourceid in the URL, an attacker can...

CVE-2025-55675

CVE-2025-55675 — Apache Superset : There is an improper access-control on the /explore endpoint. An authenticated user can enumerate metadata for datasources they lack permission to access by iterating datasource_id in the URL, leading to potential disclosure of protected datasource names. Affect...

CVE-2025-55675 Apache Superset: Incorrect datasource authorization on REST API

Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasourceid in the URL, an attacker can...

Grafana Labs < 10.4.17+security-01, 11.2.8+security-01, 11.3.5+security-01, 11.4.3+security-01, 11.5.3+security-01, 11.6.0+security-01 Improper Authorization (CVE-2025-3454)

The version of Grafana Labs installed on the remote host is affected by improper authorization vulnerability as referenced in the CVE-2025-3454 advisory. - This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL...