cbcvebase.

Github.Com Grafana Grafana vulnerabilities

61 known vulnerabilities affecting github.com/grafana_grafana.

Total CVEs
61
CISA KEV
2
actively exploited
Public exploits
9
Exploited in wild
6
Severity breakdown
CRITICAL5HIGH18MEDIUM35LOW3

Vulnerabilities

Page 1 of 4
CVE-2021-39226P1HIGHCVSS 7.3KEVPoC≥ 0, < 7.5.11≥ 8.0.0, < 8.1.62021-10-05
CVE-2021-39226 [HIGH] CWE-287 Authentication bypass for viewing and deletions of snapshots Authentication bypass for viewing and deletions of snapshots Today we are releasing Grafana 7.5.11, and 8.1.6. These patch releases include an important security fix for an issue that affects all Grafana versions from 2.0.1. [Grafana Cloud](https://grafana.com/cloud) instances have already been patched and an audit did not find any usage of this attack vector. [Grafana Enterprise](https://grafana.com/pro
ghsaosv
CVE-2021-43798P1HIGHCVSS 7.5KEVPoC≥ 8.3.0, < 8.3.1≥ 8.2.0, < 8.2.7+2 more2024-02-01
CVE-2021-43798 [HIGH] CWE-22 Grafana path traversal Grafana path traversal Today we are releasing Grafana 8.3.1, 8.2.7, 8.1.8, 8.0.7. This patch release includes a high severity security fix that affects Grafana versions from v8.0.0-beta1 through v8.3.0. Release v8.3.1, only containing a security fix: - [Download Grafana 8.3.1](https://grafana.com/grafana/download/8.3.1) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-1/) Release v8.2.7, only contain
ghsaosv
CVE-2020-13379P1MEDIUMExploitedPoC≥ 3.0.1, < 6.7.4≥ 7.0.0, < 7.0.22022-02-15
CVE-2020-13379 [MEDIUM] CWE-918 Server Side Request Forgery in Grafana Server Side Request Forgery in Grafana The avatar feature in Grafana (github.com/grafana/grafana/pkg/api/avatar) 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue that allows remote code execution. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is
ghsaosv
CVE-2025-4123P2HIGHExploitedPoC≥ 0, < 0.0.0-20250521183405-c7a690348df72025-05-22
CVE-2025-4123 [HIGH] CWE-79 Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabl
ghsaosv
CVE-2021-27358P1MEDIUMExploitedPoC≥ 6.7.3, < 7.4.22022-02-15
CVE-2021-27358 [MEDIUM] CWE-306 Denial of service in Grafana Denial of service in Grafana The snapshot feature in Grafana before 7.4.2 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. ### Specific Go Packages Affected github.com/grafana/grafana/pkg/middleware
ghsaosv
CVE-2025-3415P2MEDIUMExploitedPoC≥ 0, < 1.9.2-0.20250514160932-04111e9f2afd2025-07-17
CVE-2025-3415 [MEDIUM] CWE-200 Grafana's insecure DingDing Alert integration exposes sensitive information Grafana's insecure DingDing Alert integration exposes sensitive information Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6
ghsaosv
CVE-2024-9264P2CRITICALPoC≥ 11.0.0, < 11.0.6+security-01≥ 11.1.0, < 11.1.7+security-01+1 more2024-10-18
CVE-2024-9264 [CRITICAL] CWE-77 Grafana Command Injection And Local File Inclusion Via Sql Expressions Grafana Command Injection And Local File Inclusion Via Sql Expressions The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable
ghsaosv
CVE-2025-6023P2HIGHPoC≥ 0, < 1.9.2-0.20250521205822-0ba0b99665a92025-07-18
CVE-2025-6023 [HIGH] CWE-79 Grafana is vulnerable to XSS attacks through open redirects and path traversal Grafana is vulnerable to XSS attacks through open redirects and path traversal An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.
ghsaosv
CVE-2018-15727P2CRITICAL≥ 0, < 4.6.4≥ 5.0.0, < 5.2.32022-02-15
CVE-2018-15727 [CRITICAL] CWE-287 Grafana Authentication Bypass Grafana Authentication Bypass Grafana before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. ### Specific Go Packages Affected github.com/grafana/grafana/pkg/api
ghsaosv
CVE-2022-31097P2HIGHCVSS 8.7≥ 9.0.0, < 9.0.3≥ 8.5.0, < 8.5.9+2 more2024-05-14
CVE-2022-31097 [HIGH] CWE-79 Grafana Stored Cross-site Scripting in Unified Alerting Grafana Stored Cross-site Scripting in Unified Alerting Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for a stored Cross Site Scripting in Grafana. Release v.9.0.3, containing this security fix and other patches: - [Download Grafana 9.0.3](https://grafana.com/grafana/download/9.0.3) - [Release notes](https://grafana.com/docs/grafana/ne
ghsaosv
CVE-2025-41115P2CRITICAL≥ 12.0.0, < 12.0.7≥ 12.1.0, < 12.1.4+2 more2025-11-21
CVE-2025-41115 [CRITICAL] CWE-266 Grafana Incorrect Privilege Assignment vulnerability Grafana Incorrect Privilege Assignment vulnerability SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM clie
ghsaosv
CVE-2023-3128P2CRITICAL≥ 9.4.0, < 9.4.13≥ 9.3.0, < 9.3.16+2 more2023-06-22
CVE-2023-3128 [CRITICAL] CWE-290 Grafana vulnerable to Authentication Bypass by Spoofing Grafana vulnerable to Authentication Bypass by Spoofing Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
ghsaosv
CVE-2020-11110P3MEDIUMPoC≥ 0, < 6.7.22022-05-24
CVE-2020-11110 [MEDIUM] CWE-79 Grafana stored XSS Grafana stored XSS Grafana through 6.7.1 allows stored XSS.
ghsaosv
CVE-2024-1442P3HIGH≥ 8.5.0, < 9.5.7≥ 10.0.0, < 10.0.12+3 more2024-03-07
CVE-2024-1442 [HIGH] CWE-269 Grafana's users with permissions to create a data source can CRUD all data sources Grafana's users with permissions to create a data source can CRUD all data sources A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
ghsaosv
CVE-2025-3260P3HIGH≥ 0.0.0-20250114093457-36d6fad421fb, < 0.0.0-20250521183405-c7a690348df72025-06-02
CVE-2025-3260 [HIGH] CWE-863 Grafana vulnerable to authenticated users bypassing dashboard, folder permissions Grafana vulnerable to authenticated users bypassing dashboard, folder permissions A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors
ghsaosv
CVE-2026-33381P3MEDIUM≥ 0, < 1.9.2-0.20260513165311-fb7336fc36c12026-05-13
CVE-2026-33381 [MEDIUM] CWE-284 Grafana: Users can generate Service Account tokens after permissions removal Grafana: Users can generate Service Account tokens after permissions removal When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
ghsa
CVE-2022-39328P3HIGHCVSS 8.1≥ 9.2.0, < 9.2.42024-05-14
CVE-2022-39328 [HIGH] CWE-362 Grafana Race condition allowing privilege escalation Grafana Race condition allowing privilege escalation Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes critical security fixes for CVE-2022-39328. Release 9.2.4, latest patch, also containing security fix: - [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4) Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as al
ghsaosv
CVE-2022-31107P3HIGHCVSS 7.5≥ 5.3.0-beta1, < 8.3.10≥ 8.4.0, < 8.4.10+2 more2024-05-14
CVE-2022-31107 [HIGH] CWE-863 Grafana account takeover via OAuth vulnerability Grafana account takeover via OAuth vulnerability Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for an Oauth takeover vulnerability in Grafana. Release v.9.0.3, containing this security fix and other patches: - [Download Grafana 9.0.3](https://grafana.com/grafana/download/9.0.3) - [Release notes](https://grafana.com/docs/grafana/next/release-
ghsaosv
CVE-2022-31130P3HIGHCVSS 7.5≥ 9.0.0, < 9.1.8≥ 7.0.0, < 8.5.142024-05-14
CVE-2022-31130 [HIGH] CWE-200 Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. R
ghsaosv
CVE-2019-13068P3MEDIUM≥ 0, < 6.2.52022-05-24
CVE-2019-13068 [MEDIUM] CWE-79 Grafana Cross-site Scripting vulnerability Grafana Cross-site Scripting vulnerability `public/app/features/panel/panel_ctrl.ts` in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field).
ghsaosv
Github.Com Grafana Grafana vulnerabilities | cvebase