cbcvebase.
CVE-2026-33375
published 2026-03-26

CVE-2026-33375: The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic…

PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.43%
34.7th percentile
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

Affected

10 ranges
VendorProductVersion rangeFixed in
grafanagrafana>= 11.6.0 < 11.6.1411.6.14
grafanagrafana>= 12.1.0 < 12.1.1012.1.10
grafanagrafana>= 12.2.0 < 12.2.812.2.8
grafanagrafana>= 12.3.0 < 12.3.612.3.6
grafanagrafana>= 12.4.0 < 12.4.212.4.2
grafanagrafana_oss>= 11.6.0 < 11.6.14+security-0111.6.14+security-01
grafanagrafana_oss>= 12.1.0 < 12.1.10+security-0112.1.10+security-01
grafanagrafana_oss>= 12.2.0 < 12.2.8+security-0112.2.8+security-01
grafanagrafana_oss>= 12.3.0 < 12.3.6+security-0112.3.6+security-01
grafanagrafana_oss>= 12.4.0 < 12.4.212.4.2

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.