CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-3580
https://notcve.org/view.php?id=CVE-2025-3580
23 May 2025 — An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server ... • https://grafana.com/security/security-advisories/cve-2025-3580 • CWE-284: Improper Access Control •
CVSS: 5.0EPSS: 0%CPEs: 12EXPL: 0CVE-2025-3454 – openSUSE Security Advisory - openSUSE-SU-2025:15052-1
https://notcve.org/view.php?id=CVE-2025-3454
20 May 2025 — This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. These are all security issues fixed in the grafana-11.5.4-1.1 package on the GA media of... • https://grafana.com/security/security-advisories/cve-2025-3454 • CWE-285: Improper Authorization •
CVSS: 9.0EPSS: 3%CPEs: 7EXPL: 0CVE-2025-4123 – grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect
https://notcve.org/view.php?id=CVE-2025-4123
19 May 2025 — A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Pol... • https://grafana.com/security/security-advisories/cve-2025-4123 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-11741
https://notcve.org/view.php?id=CVE-2024-11741
31 Jan 2025 — Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15 • https://grafana.com/security/security-advisories/cve-2024-11741 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.9EPSS: 92%CPEs: 6EXPL: 8CVE-2024-9264 – Grafana SQL Expressions allow for remote code execution
https://notcve.org/view.php?id=CVE-2024-9264
18 Oct 2024 — The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. • https://packetstorm.news/files/id/182335 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-8118 – Grafana alerting wrong permission on datasource rule write endpoint
https://notcve.org/view.php?id=CVE-2024-8118
26 Sep 2024 — In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules. • https://grafana.com/security/security-advisories/cve-2024-8118 • CWE-653: Improper Isolation or Compartmentalization •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-6322
https://notcve.org/view.php?id=CVE-2024-6322
20 Aug 2024 — Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource. • https://grafana.com/security/security-advisories/cve-2024-6322 • CWE-266: Incorrect Privilege Assignment •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-34111 – Command Injection Vulnerability in `Release PR Merged` Workflow in taosdata/grafanaplugin
https://notcve.org/view.php?id=CVE-2023-34111
06 Jun 2023 — The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the wor... • https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •