Lucene search
+L

129 matches found

OSV
OSV
added 2026/06/22 1:18 p.m.4 views

CVE-2026-10601 Path traversal in the Tempo and Loki data source plugins

A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the...

5.4CVSS6.1AI score0.00258EPSS
Exploits0References3
AlpineLinux
AlpineLinux
added 2026/06/22 1:18 p.m.6 views

CVE-2026-10601

A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the...

5.4CVSS6.1AI score0.00258EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/06/22 1:18 p.m.8 views

CVE-2026-42129 Path traversal in the Loki data source plugin

A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information...

7.7CVSS6.1AI score0.00394EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/06/22 1:18 p.m.7 views

CVE-2026-42129

A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information...

7.7CVSS6.1AI score0.00394EPSS
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/06/22 1:18 p.m.12 views

CVE-2026-42129

A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information...

7.7CVSS6.1AI score0.00394EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/22 1:18 p.m.9 views

EUVD-2026-38241

The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints e.g. /config, /services, /ready to extract sensitive backend configuration and internal...

7.7CVSS5.9AI score0.00394EPSS
Exploits0References1
CVE
CVE
added 2026/06/22 1:18 p.m.40 views

CVE-2026-42129

The CVE describes a path traversal vulnerability in the Loki datasource plugin (callResource handler). An authenticated Viewer-role user can escape the plugin’s resource sandbox and reach administrative Loki endpoints (for example, /config, /services, /ready) to exfiltrate sensitive backend confi...

7.7CVSS6.1AI score0.00394EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/22 1:18 p.m.36 views

CVE-2026-42129 Path traversal in the Loki data source plugin

A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information...

7.7CVSS0.00394EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.17 views

PT-2026-51303

Name of the Vulnerable Software and Affected Versions Loki datasource plugin affected versions not specified Description The callResource handler in the Loki datasource plugin contains a path traversal flaw. This allows an authenticated user with a Viewer role to escape the resource sandbox and...

7.7CVSS5.9AI score0.00394EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.19 views

PT-2026-51299

Name of the Vulnerable Software and Affected Versions Tempo datasource plugin affected versions not specified Loki datasource plugin affected versions not specified Description These plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization,...

5.4CVSS5.8AI score0.00258EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/06/22 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-10601

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path...

5.4CVSS6AI score0.00258EPSS
Exploits0References2
Wolfi
Wolfi
added 2026/06/19 8:20 a.m.16 views

GHSA-CP6G-7HQX-QXHP vulnerabilities

Vulnerabilities for packages: bento, opentelemetry-collector-contrib, grafana, migrate, slsa-verifier, argo-cd, promxy, grafana-mimir, vcluster, kubeflow-pipelines, teleport, ferretdb, cortex, dapr, grafana-pyroscope, kubescape-operator, ksops, thanos, tetragon, kyverno, amazon-cloudwatch-agent,...

5.3AI score
Exploits0
Wolfi
Wolfi
added 2026/06/19 8:20 a.m.22 views

CVE-2026-2303 vulnerabilities

Vulnerabilities for packages: bento, opentelemetry-collector-contrib, grafana, migrate, slsa-verifier, argo-cd, promxy, grafana-mimir, vcluster, kubeflow-pipelines, teleport, ferretdb, cortex, dapr, grafana-pyroscope, kubescape-operator, ksops, thanos, tetragon, kyverno, amazon-cloudwatch-agent,...

6.9CVSS6.3AI score0.00223EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/04/17 1:0 p.m.10 views

CVE-2026-21726

A flaw was found in Loki. A remote attacker can exploit a path traversal vulnerability by using double encoding on the namespace parameter after a single URL decode. This allows the attacker to read arbitrary files at the Ruler API endpoint, leading to information disclosure...

5.3CVSS5.9AI score0.00409EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/04/17 12:3 p.m.10 views

SUSE CVE-2026-21726

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

5.3CVSS5.7AI score0.00409EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/15 9:30 p.m.10 views

Grafana Loki Path Traversal - CVE-2021-36156 Bypass

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

5.3CVSS5.8AI score0.01489EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/15 9:30 p.m.6 views

GHSA-497X-RRR9-68JP Grafana Loki Path Traversal - CVE-2021-36156 Bypass

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

5.3CVSS5.8AI score0.00409EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/15 9:30 p.m.11 views

EUVD-2026-23100

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

5.3CVSS6AI score0.01489EPSS
Exploits0References2
NVD
NVD
added 2026/04/15 8:16 p.m.5 views

CVE-2026-21726

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

5.3CVSS0.00409EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/15 7:24 p.m.4 views

CVE-2026-21726 Loki Path Traversal - CVE-2021-36156 Bypass

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

5.3CVSS5.8AI score0.00409EPSS
Exploits0References1
Rows per page
Query Builder