Vulnerabilities in Grafana
102 resultsCVE-2025-3454MEDIUMThis vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the UREPSS 0.4%CVE-2026-21726MEDIUMLoki Path Traversal - CVE-2021-36156 BypassEPSS 0.4%CVE-2024-5526HIGHGrafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and inteEPSS 0.4%CVE-2025-1088LOWVery long unicode dashboard title or panel name can hang the frontendEPSS 0.4%CVE-2026-42129HIGHPath Traversal in Loki Datasource leads to Internal Information DisclosureEPSS 0.4%CVE-2023-4457MEDIUMGrafana is an open-source platform for monitoring and observability.
The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.EPSS 0.4%CVE-2026-21721HIGHDashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege EscalationEPSS 0.4%CVE-2026-21728HIGHTempo query limit results in unbounded memory allocationEPSS 0.4%CVE-2025-3580MEDIUMAn access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server adminiEPSS 0.4%CVE-2026-28375MEDIUMGrafana Testdata datasource can issue unbounded memory allocationsEPSS 0.4%CVE-2026-27879MEDIUMQuery resampling can cause unbounded memory allocationsEPSS 0.4%CVE-2024-11741MEDIUMGrafana is an open-source platform for monitoring and observability.
The Grafana Alerting VictorOps integration was not properly protected EPSS 0.4%CVE-2025-41118CRITICALSensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protectionEPSS 0.3%CVE-2026-28376MEDIUMGrafana Live push endpoint allows unbounded memory allocation leading to OOMEPSS 0.3%CVE-2026-33378MEDIUMGrafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup MacroEPSS 0.3%CVE-2026-28383MEDIUMGrafana plugin resources can lead to unbounded memory allocationEPSS 0.3%CVE-2026-21722MEDIUMPublic Dashboards time range restriction on annotations can be bypassedEPSS 0.3%CVE-2025-10630MEDIUMRegex DoS in Grafana Zabbix PluginEPSS 0.3%CVE-2026-11769MEDIUMOperator - Namespaced User Path TraversalEPSS 0.3%CVE-2024-6322MEDIUMAccess control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account EPSS 0.3%