19 matches found
BIT-GRAFANA-2026-42127 Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...
CVE-2026-42127
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...
CVE-2026-42127 Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...
CVE-2026-42127
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...
CVE-2026-42127
CVE-2026-42127 is a Grafana vulnerability affecting the public dashboard query endpoint. The issue arises because the endpoint does not limit the request body size before processing, allowing unauthenticated attackers to trigger memory exhaustion by sending arbitrarily large JSON payloads. The re...
PT-2026-51363
Name of the Vulnerable Software and Affected Versions Grafana affected versions not specified Description The public dashboard query endpoint does not limit the request body size before processing. This allows unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily...
GHSA-VRMH-5MMX-HJWX Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
Private services EnableShowInService: false are enumerable via per-server endpoints, leaking name and timing data CWE: CWE-285 Improper Authorization via CWE-200 Exposure of Sensitive Information to an Unauthorized Actor and CWE-863 Incorrect Authorization — inconsistent gating across data-reader...
UBUNTU-CVE-2026-7765
Incorrect authorization in the User Messages dashboard widget in Checkmk 2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by...
EUVD-2026-35051
Incorrect authorization in the User Messages dashboard widget in Checkmk 2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by...
CVE-2026-7765
Incorrect authorization in the User Messages dashboard widget in Checkmk 2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by...
PT-2026-47285
Incorrect authorization in the User Messages dashboard widget in Checkmk 2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by...
CVE-2026-41518 Chartbrew has a stored DOM XSS via Chart Tooltip innerHTML (ChartDatasetConfig.legend)
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The...
EUVD-2026-34319
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The...
CVE-2026-41518
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The...
PT-2026-46317
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The...
EUVD-2019-8347
Malware in sbrugna...
Atlassian Jira Public Dashboard Detected
Atlassian Jira misconfiguration can allow a remote and unauthenticated attacker to enumerate a list of dashboards that may contain sensitive information. No source data...
Grafana 安全漏洞
Grafana is Grafana open source set of open source monitoring tools that provide a visual monitoring interface . The tool is mainly used to monitor and analyze Graphite, InfluxDB and Prometheus and so on. A security vulnerability exists in Grafana versions prior to 9.4.12, 9.5.3, and 9.5.3, which...
CVE-2019-18623
Escalation of privileges in EnergyCAP 7 through 7.5.6 allows an attacker to access data. If an unauthenticated user clicks on a link on the public dashboard, the resource opens in EnergyCAP with access rights matching the user who created the dashboard...