Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

grafana — Vulnerabilities & Security Advisories 85

Browse all 85 CVE security advisories affecting grafana. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Grafana serves as a leading open-source platform for observability, enabling users to visualize metrics, logs, and traces from diverse data sources. Despite its utility, the software has accumulated 85 recorded Common Vulnerabilities and Exposures (CVEs), reflecting a history of security challenges. Historically, these flaws frequently involve remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from insufficient input validation or improper access controls in its plugin ecosystem and API endpoints. While no single catastrophic incident has defined its entire lifecycle, the high volume of CVEs indicates persistent risks in its complex architecture. Security teams must prioritize regular patching and strict configuration management to mitigate these known weaknesses, ensuring that the platform’s robust visualization capabilities do not compromise underlying infrastructure integrity.

Top products by grafana: grafana Grafana Enterprise grafana/grafana grafana-image-renderer Tempo Grafana OSS Alloy Grafana Alerting Pyroscope Loki Grafana Correlations grafana/grafana-enterprise grafana-zabbix-plugin grafana-infinity-datasource Agent Flow OnCall grafana-json-datasource grafana-csv-datasource worldmap-panel google-sheets-datasource synthetic-monitoring-agent agent
CVE IDTitleCVSSSeverityPublished
CVE-2026-21728 Tempo query limit results in unbounded memory allocation — Tempo 7.5 High2026-04-24
CVE-2026-21726 Loki Path Traversal - CVE-2021-36156 Bypass — Loki 5.3 Medium2026-04-15
CVE-2025-41118 Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection — Pyroscope 9.1 Critical2026-04-15
CVE-2026-21727 Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record — Grafana Correlations 3.3 Low2026-04-15
CVE-2025-12141 Grafana Alerting Editors can edit destination of webhooks they did not create — Grafana AlertingCWE-200 8.1 -2026-04-15
CVE-2026-27879 Query resampling can cause unbounded memory allocations — Grafana 6.5 Medium2026-03-27
CVE-2026-28375 Grafana Testdata datasource can issue unbounded memory allocations — Grafana 6.5 Medium2026-03-27
CVE-2026-27876 RCE on Grafana via sqlExpressions — Grafana 9.1 Critical2026-03-27
CVE-2026-27880 OpenFeature evaluation API reads input data with no bounds — Grafana 7.5 High2026-03-27
CVE-2026-27877 Public dashboards discloses all direct mode datasources — Grafana 6.5 Medium2026-03-27
CVE-2026-28377 S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern) — Tempo 7.5 High2026-03-26
CVE-2026-21724 Missing Protected-field Authorization in Provisioning Contact Points API — Grafana OSS 5.4 Medium2026-03-26
CVE-2026-33375 Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS — Grafana OSS 6.5 Medium2026-03-26
CVE-2026-21725 Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name — Grafana 2.6 Low2026-02-25
CVE-2025-41117 XSS in Grafana Explore stack trace — grafana/grafana 6.8 Medium2026-02-12
CVE-2026-21722 Public Dashboards time range restriction on annotations can be bypassed — grafana/grafana 5.3 Medium2026-02-12
CVE-2026-21721 Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation — grafana/grafana 8.1 High2026-01-27
CVE-2026-21720 Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out — grafana/grafana-enterprise 7.5 High2026-01-27
CVE-2025-41115 Incorrect privilege assignment — Grafana Enterprise 10.0 Critical2025-11-21
CVE-2025-11539 Arbitrary Code Execution in Grafana Image Renderer Plugin — grafana-image-rendererCWE-94 9.9 Critical2025-10-09
CVE-2025-10630 Regex DoS in Grafana Zabbix Plugin — grafana-zabbix-pluginCWE-20 4.3 Medium2025-09-19
CVE-2025-8341 SSRF in Infinity Datasource Plugin — grafana-infinity-datasourceCWE-918 5.0 Medium2025-08-04
CVE-2025-6197 Grafana OSS 安全漏洞 — GrafanaCWE-601 4.2 Medium2025-07-18
CVE-2025-6023 Grafana OSS 安全漏洞 — GrafanaCWE-601 7.6 High2025-07-18
CVE-2025-3415 Grafana 安全漏洞 — GrafanaCWE-200 4.3 Medium2025-07-17
CVE-2025-1088 Very long unicode dashboard title or panel name can hang the frontend — GrafanaCWE-20 2.7 Low2025-06-18
CVE-2025-3454 Grafana 安全漏洞 — GrafanaCWE-285 5.0 Medium2025-06-02
CVE-2025-3260 Grafana 安全漏洞 — GrafanaCWE-863 8.3 High2025-06-02
CVE-2025-3580 Grafana OSS 安全漏洞 — GrafanaCWE-284 5.5 Medium2025-05-23
CVE-2025-4123 Grafana 安全漏洞 — GrafanaCWE-79 7.6 High2025-05-22

This page lists every published CVE security advisory associated with grafana. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.