CVE-2026-33762
published 2026-03-31CVE-2026-33762: go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate…
PriorityP49low2.8CVSS 3.1
AVLACLPRLUIRSUCNINAL
EPSS
0.15%
4.8th percentile
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-go-git-go-git | — | — |
| github.com | go-git_go-git_v5 | >= 0 < 5.17.1 | 5.17.1 |
| go-git | go-git | < 5.17.1 | 5.17.1 |
| go-git_project | go-git | < 5.17.1 | 5.17.1 |
CVSS provenance
nvdv3.12.8LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
osv2.8LOW
vendor_debian2.8LOW
vendor_redhat2.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git
osv·2026-04-07
CVE-2026-33762 Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git
Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git
Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git
OSV
CVE-2026-33762: go-git is an extensible git implementation library written in pure Go
osv·2026-03-31·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762: go-git is an extensible git implementation library written in pure Go
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
GHSA
go-git missing validation decoding Index v4 files leads to panic
ghsa·2026-03-30
CVE-2026-33762 [LOW] CWE-129 go-git missing validation decoding Index v4 files leads to panic
go-git missing validation decoding Index v4 files leads to panic
### Impact
`go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.
This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue.
An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.
Exploitation requires the ability
OSV
go-git missing validation decoding Index v4 files leads to panic
osv·2026-03-30
CVE-2026-33762 [LOW] go-git missing validation decoding Index v4 files leads to panic
go-git missing validation decoding Index v4 files leads to panic
### Impact
`go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.
This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue.
An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.
Exploitation requires the ability
Red Hat
github.com/go-git/go-git/v5: go-git: Denial of Service via crafted Git index file
vendor_redhat·2026-03-31·CVSS 2.8
CVE-2026-33762 [LOW] CWE-1284 github.com/go-git/go-git/v5: go-git: Denial of Service via crafted Git index file
github.com/go-git/go-git/v5: go-git: Denial of Service via crafted Git index file
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
A flaw was found in go-git, a library used for Git implementations. An attacker could exploit this vulnerability by providing a specially crafted Git index
Debian
CVE-2026-33762: golang-github-go-git-go-git - go-git is an extensible git implementation library written in pure Go. Prior to ...
vendor_debian·2026·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762: golang-github-go-git-go-git - go-git is an extensible git implementation library written in pure Go. Prior to ...
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
Scope: local
bookworm: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-20883 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-20883 [MEDIUM] CVE-2026-20883 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20883 :
Gitea vulnerability analysis and mitigation
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/go-gitea/gitea
gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at
Wiz
CVE-2026-28375 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-28375 [MEDIUM] CVE-2026-28375 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28375 :
Grafana vulnerability analysis and mitigation
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
Source : NVD
## 6.5
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Grafana
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-mssql
grafana-stackdriver
Sources
Chainguard Has Fix Added at: Mar 29, 2026
Homebrew Severity MEDIUM Has Fix Added at: Apr 05, 2026
Nix Severity MEDIUM Has Fix Added at: Apr 05, 2026
Red Hat 8, 9, 10 Severity MEDIUM No Fix Added at: Mar 29, 2026
Linux Severity MEDIUM Has Fix Added at
Wiz
CVE-2026-27137 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27137 [HIGH] CVE-2026-27137 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27137 :
Grafana vulnerability analysis and mitigation
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Source : NVD
## 7.5
Score
Published March 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
HashiCorp Vault
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-misc
container-tools:rhel8::buildah
Sources
NVD
Alpine 3.23 Severity HIGH Has Fix Added at: Mar 0
Wiz
CVE-2026-20800 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-20800 [MEDIUM] CVE-2026-20800 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20800 :
Gitea vulnerability analysis and mitigation
Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:gitea:gitea
gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, ed
Wiz
CVE-2026-23992 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-23992 [MEDIUM] CVE-2026-23992 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23992 :
Trivy vulnerability analysis and mitigation
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
Trivy
CBL Mariner
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2026-0798 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.5
CVE-2026-0798 [LOW] CVE-2026-0798 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0798 :
Gitea vulnerability analysis and mitigation
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
Source : NVD
## 3.5
Score
Published January 22, 2026
Severity LOW
CNA Score 3.5
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
code.gitea.io/gitea
cpe:2.3:a:gitea:gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14,
Wiz
CVE-2025-58190 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-58190 [MEDIUM] CVE-2025-58190 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58190 :
Packer vulnerability analysis and mitigation
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Source : NVD
## 5.3
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Packer
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cloud-provider-kubevirt
docker-buildx
Sources
NVD
CBL-Mariner 2.0 Severity MEDIUM Has Fix Added at: Mar 04, 2026
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: Mar 13,
Wiz
CVE-2026-34165 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-34165 [MEDIUM] CVE-2026-34165 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34165 :
Packer vulnerability analysis and mitigation
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.
Source : NVD
## 5
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 5.0
Affected Technologies
Packer
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploi
Wiz
CVE-2026-33762 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-33762 [MEDIUM] CVE-2026-33762 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33762 :
Packer vulnerability analysis and mitigation
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
Source : NVD
## 2.8
Score
Published March 31, 2026
Severity LOW
CNA Score 2.8
Affected Technologies
Packer
Grafana
Has Public Exploit No
Has CISA KEV Exploit N
Wiz
CVE-2026-21721 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-21721 [HIGH] CVE-2026-21721 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21721 :
Grafana vulnerability analysis and mitigation
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
Source : NVD
## 8.1
Score
Published January 27, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Grafana
Rocky Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-prometheus
grafana-fips-11.6
Sources
NVD
AlmaLinux 9 Severity
Wiz
CVE-2026-27879 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-27879 [MEDIUM] CVE-2026-27879 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27879 :
Grafana vulnerability analysis and mitigation
A resample query can be used to trigger out-of-memory crashes in Grafana.
Source : NVD
## 6.5
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Grafana
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-mysql
grafana-prometheus
Sources
Chainguard Has Fix Added at: Mar 29, 2026
Homebrew Severity MEDIUM Has Fix Added at: Apr 05, 2026
Nix Severity MEDIUM Has Fix Added at: Apr 05, 2026
Red Hat 8, 9, 10 Severity MEDIUM No Fix Added at: Mar 29, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 2
Wiz
CVE-2026-27880 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27880 [HIGH] CVE-2026-27880 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27880 :
Grafana vulnerability analysis and mitigation
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-cloudwatch
grafana-loki
Sources
Chainguard Has Fix Added at: Mar 29, 2026
Homebrew Severity HIGH Has Fix Added at: Apr 05, 2026
Nix Severity HIGH Has Fix Added at: Apr 05, 2026
Red Hat 8, 9, 10 Severity HIGH No Fix Added at: Mar 29, 2026
Li
Wiz
CVE-2026-33937 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33937 [LOW] CVE-2026-33937 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33937 :
Grafana vulnerability analysis and mitigation
Handlebars.compile()
value
NumberLiteral
compile()
Handlebars.compile()
string
handlebars/runtime
compile()
Wiz Threat Research note: Wiz has overridden initial access potential to FALSE since the vulnerability is only exploitable under specific conditions.
Source : NVD
## 9.8
Score
Published March 27, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 62.2
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
thunderbird
handlebars
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity CRITICAL
Wiz
CVE-2026-24686 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-24686 [MEDIUM] CVE-2026-24686 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24686 :
Trivy vulnerability analysis and mitigation
repoName
repoName
../escaped-repo
LocalMetadataDir
Source : NVD
## 4.7
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
Trivy
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kyverno-policy-reporter-plugins-fips
image-factory-fips
Sources
NVD
Chainguard Has Fix Added at: Jan 28, 2026
Debian 13 Severity MEDIUM No Fix Added at: Jan 27, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Jan 27, 2026
Echo Severity MEDIUM No Fix Added at: Jan 27, 2026
GoLang Severity MEDIUM Has Fix Added at: Jan 27, 202
Wiz
CVE-2026-21720 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-21720 [HIGH] CVE-2026-21720 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21720 :
Grafana vulnerability analysis and mitigation
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Source : NVD
## 7.5
Score
Published January 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
Wiz
CVE-2026-20897 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-20897 [CRITICAL] CVE-2026-20897 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20897 :
Gitea vulnerability analysis and mitigation
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:gitea:gitea
github.com/go-gitea/gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity CRITICAL No Fix Added at: Jan 30, 2026
Wiz
CVE-2026-21724 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-21724 [MEDIUM] CVE-2026-21724 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21724 :
Grafana vulnerability analysis and mitigation
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Source : NVD
## 5.4
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:grafana:grafana
grafana-11.6
Sources
NVD
Chainguard No Fix Added at: Apr 02, 2026
MinimOS Severity MEDIUM Has
Wiz
CVE-2026-33487 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33487 [HIGH] CVE-2026-33487 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33487 :
Grafana vulnerability analysis and mitigation
validateSignature
validate.go
SignedInfo
go.mod
_ref
ref
SignedInfo.References
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-azure-monitor
grafana-cloudwatch
Sources
NVD
Chainguard Has Fix Added at: Mar 21, 2026
GoLang Severity HIGH Has Fix Added at: Mar 20, 2026
MinimOS Severity HIGH Has Fix Added at: Mar 22, 2026
Red Hat 8, 9, 10 Severity HIGH No Fix Added at: Mar 29, 2026
Wolfi Has Fix Added at: Mar 21, 202
Wiz
CVE-2026-24117 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-24117 [MEDIUM] CVE-2026-24117 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24117 :
Datadog Agent vulnerability analysis and mitigation
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false.
Source : NVD
## 5.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technol
Wiz
CVE-2026-25934 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-25934 [MEDIUM] CVE-2026-25934 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25934 :
Packer vulnerability analysis and mitigation
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This v
Wiz
CVE-2026-33938 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33938 [LOW] CVE-2026-33938 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33938 :
Grafana vulnerability analysis and mitigation
@partial-block
@partial-block
{{> @partial-block}}
require('handlebars/runtime')
compile()
handlebars-helpers
Wiz Threat Research note: Wiz has overridden initial access potential to FALSE since the vulnerability is only exploitable under specific conditions.
Source : NVD
## 8.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kibana-9.1
opensearch-dashboards-2
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity
Wiz
CVE-2026-1229 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.9
CVE-2026-1229 [LOW] CVE-2026-1229 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1229 :
Packer vulnerability analysis and mitigation
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.
The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .
Source : NVD
## 2.9
Score
Published February 24, 2026
Severity LOW
CNA Score 2.9
Affected Technologies
Packer
HashiCorp Vault
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
crossplane-2.0
terragrunt-fips
Sources
NVD
Chai
Wiz
CVE-2025-22873 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.8
CVE-2025-22873 [LOW] CVE-2025-22873 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-22873 :
Datadog Agent vulnerability analysis and mitigation
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
Source : NVD
## 3.8
Score
Published February 4, 2026
Severity LOW
CNA Score 3.8
Affected Technologies
Datadog Agent
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
container-tools:rhel8::runc
containerd-1
Sources
Alpine 3.1
Wiz
CVE-2025-68156 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68156 [HIGH] CVE-2025-68156 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68156 :
Grafana vulnerability analysis and mitigation
flatten
min
max
mean
median
builtin.MaxDepth
Source : NVD
## 7.5
Score
Published December 16, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Amazon CloudWatch Agent
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
eks-distro-1.33
elastic-agent-fips-9.0
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Dec 25, 2025
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Dec 28, 2025
Chainguard Has Fix Added at: Dec 18, 2025
Echo Severity HIGH No Fix Added at: Dec 18, 2025
GoLang Severity HIGH Has Fix Added at: Dec 17, 20
Wiz
CVE-2026-34986 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34986 [HIGH] CVE-2026-34986 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34986 :
Packer vulnerability analysis and mitigation
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() follow
Wiz
CVE-2026-28377 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-28377 [HIGH] CVE-2026-28377 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28377 :
Grafana vulnerability analysis and mitigation
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.
Thanks to william_goodfellow for reporting this vulnerability.
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Grafana Tempo
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-elasticsearch
grafana-graphite
Sources
NVD
Nix Severity HIGH Has Fix Added at: Apr 05,
Wiz
CVE-2026-27877 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-27877 [MEDIUM] CVE-2026-27877 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27877 :
Grafana vulnerability analysis and mitigation
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 6.5
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-prometheus
grafana-fips-12.4
Sources
Chainguard Has
Wiz
CVE-2025-64702 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-64702 [MEDIUM] CVE-2025-64702 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64702 :
Trivy vulnerability analysis and mitigation
quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Trivy
Synct
Wiz
CVE-2026-24137 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-24137 [MEDIUM] CVE-2026-24137 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24137 :
Datadog Agent vulnerability analysis and mitigation
sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffecte
Wiz
CVE-2026-33916 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33916 [LOW] CVE-2026-33916 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33916 :
Grafana vulnerability analysis and mitigation
resolvePartial()
options.partials
Object.prototype
Object.freeze(Object.prototype)
handlebars/runtime
Source : NVD
## 4.7
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-loki
grafana-postgres
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 29, 2026
Echo Severity MEDIUM No Fix Added at: Mar 29, 2026
npm Severity ME
Wiz
CVE-2026-27876 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-27876 [CRITICAL] CVE-2026-27876 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27876 :
Grafana vulnerability analysis and mitigation
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.
Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Only instances in the following version ranges are affected:
11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.
12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.
12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.
12.3.0 (inclusive) to 12.3.6 (exclusive)
Wiz
CVE-2026-24051 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-24051 [HIGH] CVE-2026-24051 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24051 :
Packer vulnerability analysis and mitigation
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.
Source : NVD
## 7
Score
Published February 2, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
Packer
HashiCorp Vault
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Expl
Wiz
CVE-2025-15558 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-15558 [HIGH] CVE-2025-15558 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15558 :
Trivy vulnerability analysis and mitigation
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user.
This issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/[email protected]+incompatible/cli-plugins/manager package, such as Docker Compose.
This issue does
Wiz
CVE-2026-33941 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33941 [LOW] CVE-2026-33941 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33941 :
Grafana vulnerability analysis and mitigation
bin/handlebars
lib/precompiler.js
"
'
;
Source : NVD
## 8.2
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
handlebars
389-ds:1.4::389-ds-base-legacy-tools
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity HIGH No Fix Added at: Mar 29, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 29, 2026
Echo Severity HIGH No Fix Added at: Mar 29, 2026
npm Severity HIGH Has Fix Added at: Mar 29, 2026
Red Hat 7, 8, 9, 1
Wiz
CVE-2026-33634 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33634 [CRITICAL] CVE-2026-33634 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33634 :
Trivy vulnerability analysis and mitigation
aquasecurity/trivy-action
aquasecurity/setup-trivy
aquasecurity/trivy
aquasecurity/trivy-action
aquasecurity/setup-trivy
aquasecurity/trivy-action
aquasecurity/setup-trivy
tpcp-docs
Source : NVD
## 9.4
Score
Published March 23, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
Trivy
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 95.6
Exploitation Probability (EPSS) 21.2
Affected packages and libraries
cpe:2.3:a:litellm:litellm
github.com/aquasecurity/trivy
Sources
Chainguard No Fix Added at: Mar 29, 2026
GoLang Severity CRITICAL No Fix Added at: Mar 24, 2026
Homebrew Severity HIGH No
Wiz
CVE-2026-23991 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-23991 [MEDIUM] CVE-2026-23991 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23991 :
Trivy vulnerability analysis and mitigation
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
Trivy
CBL Mariner
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Rel
Wiz
CVE-2026-33375 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33375 [MEDIUM] CVE-2026-33375 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33375 :
Grafana vulnerability analysis and mitigation
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Source : NVD
## 6.5
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-fips-11.6
grafana-fips-12.2
Sources
Chainguard No Fix Added at: Apr 02, 2026
Homebrew Severity MEDIUM Has Fix Added at: Apr 05, 2026
MinimOS Severit
Wiz
CVE-2026-33939 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33939 [LOW] CVE-2026-33939 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33939 :
Grafana vulnerability analysis and mitigation
{{*n}}
lookupProperty(decorators, "n")
undefined
TypeError: ... is not a function
try/catch
try/catch
compile()
{{*...}}
compile()
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
firefox-x11
grafana-loki
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity HIGH No Fix Added at: Mar 29, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 29, 2026
Echo Severity HIGH No Fix Added at: Mar 29, 2
Wiz
CVE-2026-20736 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-20736 [HIGH] CVE-2026-20736 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20736 :
Gitea vulnerability analysis and mitigation
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
code.gitea.io/gitea
cpe:2.3:a:gitea:gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.
Wiz
CVE-2026-20750 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-20750 [CRITICAL] CVE-2026-20750 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20750 :
Gitea vulnerability analysis and mitigation
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:gitea:gitea
gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity CRITICAL No Fix Added at: Jan 30, 2026
Wiz
CVE-2026-27141 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27141 [HIGH] CVE-2026-27141 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27141 :
Grafana vulnerability analysis and mitigation
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
Source : NVD
## 7.5
Score
Published February 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Podman
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
crossplane-provider-aws-wafv2
seaweedfs-operator-fips
Sources
NVD
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 14, 2026
Chainguard Has Fix Added at: Mar 03, 2026
GoLang Severity HIGH Has Fix Added at: Mar 13, 2026
Red Hat 8, 9, 10 Severity MEDIUM No Fix Added at: Mar 02, 2026
Wiz
CVE-2026-21722 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-21722 [MEDIUM] CVE-2026-21722 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21722 :
Grafana vulnerability analysis and mitigation
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.
This did not leak any annotations that would not otherwise be visible on the public dashboard.
Source : NVD
## 5.3
Score
Published February 12, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-github-lus
Wiz
CVE-2026-21725 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.6
CVE-2026-21725 [LOW] CVE-2026-21725 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21725 :
Grafana vulnerability analysis and mitigation
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.
This requires several very stringent conditions to be met:
The attacker must have admin access to the specific datasource prior to its first deletion.
Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.
The attacker must delete the datasource, then someone must recreate it.
The new datasource must not have the attacker as an admin.
The new datasource must have the same UID as the prior datasource. These are randomised by default.
The datasource can now be re-deleted by the attacker.
Once 30 seconds are up, th
Wiz
CVE-2026-22703 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-22703 [MEDIUM] CVE-2026-22703 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22703 :
Datadog Agent vulnerability analysis and mitigation
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by includin
Wiz
CVE-2026-20912 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-20912 [CRITICAL] CVE-2026-20912 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20912 :
Gitea vulnerability analysis and mitigation
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:gitea:gitea
github.com/go-gitea/gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21
Wiz
CVE-2026-20904 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-20904 [MEDIUM] CVE-2026-20904 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20904 :
Gitea vulnerability analysis and mitigation
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/go-gitea/gitea
cpe:2.3:a:gitea:gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: Jan 30, 2026
Chainguard
Wiz
CVE-2026-33940 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33940 [LOW] CVE-2026-33940 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33940 :
Grafana vulnerability analysis and mitigation
resolvePartial()
invokePartial()
undefined
env.compile()
require('handlebars/runtime')
compile()
invokePartial
{{> (lookup ...)}}
Wiz Threat Research note: Wiz has overridden initial access potential to FALSE since the vulnerability is only exploitable under specific conditions.
Source : NVD
## 8.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
lerna
handlebars
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Sever
Wiz
CVE-2026-23831 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-23831 [MEDIUM] CVE-2026-23831 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23831 :
Datadog Agent vulnerability analysis and mitigation
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.
Source : NVD
## 5.3
Score
Pub
Wiz
CVE-2026-20888 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-20888 [MEDIUM] CVE-2026-20888 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20888 :
Gitea vulnerability analysis and mitigation
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
Source : NVD
## 4.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/go-gitea/gitea
cpe:2.3:a:gitea:gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: Jan
Wiz
CVE-2025-41117 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2025-41117 [MEDIUM] CVE-2025-41117 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-41117 :
Grafana vulnerability analysis and mitigation
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.
Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
Source : NVD
## 6.1
Score
Published February 12, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-azure-monitor
grafana-elasticsearch
Sou
Bugzilla
CVE-2026-33762 k9s: go-git: Denial of Service via crafted Git index file [fedora-all]
bugzilla·2026-04-02·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762 k9s: go-git: Denial of Service via crafted Git index file [fedora-all]
CVE-2026-33762 k9s: go-git: Denial of Service via crafted Git index file [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-33762 tailscale: go-git: Denial of Service via crafted Git index file [fedora-all]
bugzilla·2026-04-02·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762 tailscale: go-git: Denial of Service via crafted Git index file [fedora-all]
CVE-2026-33762 tailscale: go-git: Denial of Service via crafted Git index file [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-c3b7c062a3 (tailscale-1.98.4-1.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-c3b7c062a3
---
FEDORA-2026-07897c0238 (tailscale-1.98.4-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-07897c0238
---
FEDORA-2026-c3b7c062a3 (tailscale-1.98.4-1.fc45) has been pushed to the Fedora 45 stable repository.
If problem still persists, please make n
Bugzilla
CVE-2026-33762 trivy: go-git: Denial of Service via crafted Git index file [fedora-all]
bugzilla·2026-04-02·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762 trivy: go-git: Denial of Service via crafted Git index file [fedora-all]
CVE-2026-33762 trivy: go-git: Denial of Service via crafted Git index file [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-6fc2f11089 (trivy-0.69.3-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-6fc2f11089
---
FEDORA-2026-6fc2f11089 has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-6fc2f11089`
You can provide feedback for this update here: https://bodhi.fedoraproject.
Bugzilla
CVE-2026-33762 forgejo-runner: go-git: Denial of Service via crafted Git index file [epel-all]
bugzilla·2026-04-02·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762 forgejo-runner: go-git: Denial of Service via crafted Git index file [epel-all]
CVE-2026-33762 forgejo-runner: go-git: Denial of Service via crafted Git index file [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-e8e9ba1f80 has been pushed to the Fedora EPEL 10.3 testing repository.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-e8e9ba1f80
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Bugzilla
CVE-2026-33762 jfrog-cli: go-git: Denial of Service via crafted Git index file [epel-all]
bugzilla·2026-04-02·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762 jfrog-cli: go-git: Denial of Service via crafted Git index file [epel-all]
CVE-2026-33762 jfrog-cli: go-git: Denial of Service via crafted Git index file [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This was fixed in v5.17.1, which is included with jfrog-cli v2.98.0.
---
FEDORA-EPEL-2026-b5304cc714 (jfrog-cli-2.98.0-1.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-b5304cc714
Bugzilla
CVE-2026-33762 vagrant: go-git: Denial of Service via crafted Git index file [fedora-all]
bugzilla·2026-04-02·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762 vagrant: go-git: Denial of Service via crafted Git index file [fedora-all]
CVE-2026-33762 vagrant: go-git: Denial of Service via crafted Git index file [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Vagrant does not ship any Golang bits
Bugzilla
CVE-2026-33762 forgejo-runner: go-git: Denial of Service via crafted Git index file [fedora-all]
bugzilla·2026-04-02·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762 forgejo-runner: go-git: Denial of Service via crafted Git index file [fedora-all]
CVE-2026-33762 forgejo-runner: go-git: Denial of Service via crafted Git index file [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-cf660bc96a has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-cf660bc96a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-cf660bc96a
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Bugzilla
CVE-2026-33762 cri-o1.29: go-git: Denial of Service via crafted Git index file [fedora-all]
bugzilla·2026-04-02·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762 cri-o1.29: go-git: Denial of Service via crafted Git index file [fedora-all]
CVE-2026-33762 cri-o1.29: go-git: Denial of Service via crafted Git index file [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-33762 chezmoi: go-git: Denial of Service via crafted Git index file [fedora-all]
bugzilla·2026-04-02·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762 chezmoi: go-git: Denial of Service via crafted Git index file [fedora-all]
CVE-2026-33762 chezmoi: go-git: Denial of Service via crafted Git index file [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-905e9afc79 (chezmoi-2.70.5-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-905e9afc79
Bugzilla
CVE-2026-33762 chezmoi: go-git: Denial of Service via crafted Git index file [epel-all]
bugzilla·2026-04-02·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762 chezmoi: go-git: Denial of Service via crafted Git index file [epel-all]
CVE-2026-33762 chezmoi: go-git: Denial of Service via crafted Git index file [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-b18955a7ae (chezmoi-2.70.5-1.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-b18955a7ae
---
FEDORA-EPEL-2026-aa1072911c (chezmoi-2.70.5-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-aa1072911c
---
FEDORA-EPEL-2026-d404995bb4 (chezmoi-2.70.5-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bo
Bugzilla
CVE-2026-33762 github.com/go-git/go-git/v5: go-git: Denial of Service via crafted Git index file
bugzilla·2026-03-31·CVSS 2.8
CVE-2026-33762 [LOW] CVE-2026-33762 github.com/go-git/go-git/v5: go-git: Denial of Service via crafted Git index file
CVE-2026-33762 github.com/go-git/go-git/v5: go-git: Denial of Service via crafted Git index file
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
2026-03-31
Published