CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-3415 – openSUSE Security Advisory - openSUSE-SU-2025:15226-1
https://notcve.org/view.php?id=CVE-2025-3415
05 Jul 2025 — Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 These are all security issues fixed in the grafana-11.6.3-1.1 package on the GA media of openSUSE Tumbleweed. • https://grafana.com/security/security-advisories/cve-2025-3415 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1088 – Very long unicode dashboard title or panel name can hang the frontend
https://notcve.org/view.php?id=CVE-2025-1088
18 Jun 2025 — In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. These are al... • https://grafana.com/security/security-advisories/cve-2025-1088 • CWE-20: Improper Input Validation •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3260 – openSUSE Security Advisory - openSUSE-SU-2025:15225-1
https://notcve.org/view.php?id=CVE-2025-3260
02 Jun 2025 — A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected ... • https://grafana.com/security/security-advisories/CVE-2025-3260 • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-3580 – SUSE Security Advisory - SUSE-SU-2025:01989-1
https://notcve.org/view.php?id=CVE-2025-3580
23 May 2025 — An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server ... • https://grafana.com/security/security-advisories/cve-2025-3580 • CWE-284: Improper Access Control •
CVSS: 5.0EPSS: 0%CPEs: 12EXPL: 0CVE-2025-3454 – openSUSE Security Advisory - openSUSE-SU-2025:15052-1
https://notcve.org/view.php?id=CVE-2025-3454
20 May 2025 — This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. These are all security issues fixed in the govulncheck-vulndb-0.0.20250612T141001-1.1 pa... • https://grafana.com/security/security-advisories/cve-2025-3454 • CWE-285: Improper Authorization •
CVSS: 9.0EPSS: 5%CPEs: 7EXPL: 8CVE-2025-4123 – Grafana 11.6.0 - SSRF
https://notcve.org/view.php?id=CVE-2025-4123
19 May 2025 — A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Pol... • https://www.exploit-db.com/exploits/52491 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.0EPSS: 0%CPEs: 10EXPL: 0CVE-2025-2703 – openSUSE Security Advisory - openSUSE-SU-2025:15052-1
https://notcve.org/view.php?id=CVE-2025-2703
23 Apr 2025 — The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. These are all security issues fixed in the grafana-11.5.4-1.1 package on the GA media of openSUSE Tumbleweed. • https://grafana.com/security/security-advisories/cve-2025-2703 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-11741 – SUSE Security Advisory - SUSE-SU-2025:01985-1
https://notcve.org/view.php?id=CVE-2024-11741
31 Jan 2025 — Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15 This update for grafana fixes the following issues. Grafana was updated from version 10.4.13 to 10.4.15. Fixed vulnerability when creating log files. • https://grafana.com/security/security-advisories/cve-2024-11741 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 2.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10452 – openSUSE Security Advisory - openSUSE-SU-2024:0350-1
https://notcve.org/view.php?id=CVE-2024-10452
29 Oct 2024 — Organization admins can delete pending invites created in an organization they are not part of. An update that fixes 56 vulnerabilities, contains one feature is now available. This update for govulncheck-vulndb fixes the following issues. • https://grafana.com/security/security-advisories/cve-2024-10452 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.9EPSS: 94%CPEs: 6EXPL: 15CVE-2024-9264 – Grafana SQL Expressions allow for remote code execution
https://notcve.org/view.php?id=CVE-2024-9264
18 Oct 2024 — The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. An update ... • https://packetstorm.news/files/id/182335 • CWE-94: Improper Control of Generation of Code ('Code Injection') •