CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-41117 – XSS in Grafana Explore stack trace
https://notcve.org/view.php?id=CVE-2025-41117
12 Feb 2026 — Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever. • https://grafana.com/security/security-advisories/CVE-2025-41117 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 8EXPL: 0CVE-2026-21722 – Public Dashboards time range restriction on annotations can be bypassed
https://notcve.org/view.php?id=CVE-2026-21722
12 Feb 2026 — Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard. • https://grafana.com/security/security-advisories/CVE-2026-21722 • CWE-863: Incorrect Authorization •
CVSS: 8.5EPSS: 0%CPEs: 10EXPL: 0CVE-2026-21721 – Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
https://notcve.org/view.php?id=CVE-2026-21721
27 Jan 2026 — The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation. • https://grafana.com/security/security-advisories/CVE-2026-21721 • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2026-21720 – Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
https://notcve.org/view.php?id=CVE-2026-21720
27 Jan 2026 — Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems. • https://grafana.com/security/security-advisories/CVE-2026-21720 • CWE-400: Uncontrolled Resource Consumption CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-41115 – Incorrect privilege assignment
https://notcve.org/view.php?id=CVE-2025-41115
21 Nov 2025 — SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalatio... • https://grafana.com/security/security-advisories/CVE-2025-41115 • CWE-266: Incorrect Privilege Assignment •
CVSS: 5.0EPSS: 0%CPEs: 12EXPL: 0CVE-2025-3454 – openSUSE Security Advisory - openSUSE-SU-2025:15052-1
https://notcve.org/view.php?id=CVE-2025-3454
20 May 2025 — This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. These are all security issues fixed in the govulncheck-vulndb-0.0.20250612T141001-1.1 pa... • https://grafana.com/security/security-advisories/cve-2025-3454 • CWE-285: Improper Authorization •
CVSS: 8.0EPSS: 0%CPEs: 10EXPL: 0CVE-2025-2703 – openSUSE Security Advisory - openSUSE-SU-2025:15052-1
https://notcve.org/view.php?id=CVE-2025-2703
23 Apr 2025 — The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. These are all security issues fixed in the grafana-11.5.4-1.1 package on the GA media of openSUSE Tumbleweed. • https://grafana.com/security/security-advisories/cve-2025-2703 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9476 – Privilege escalation vulnerability for Organizations in Grafana
https://notcve.org/view.php?id=CVE-2024-9476
13 Nov 2024 — A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who utilize the Organizations feature to isolate resources on their Grafana instance. These are all security issues fixed in the grafana-11.3.2-1.1 package on the GA media of openSUSE Tumbleweed. • https://grafana.com/blog/2024/11/12/grafana-security-release-medium-severity-security-fix-for-cve-2024-9476 • CWE-266: Incorrect Privilege Assignment •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-6322
https://notcve.org/view.php?id=CVE-2024-6322
20 Aug 2024 — Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource. • https://grafana.com/security/security-advisories/cve-2024-6322 • CWE-266: Incorrect Privilege Assignment •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2023-6152 – SUSE Security Advisory - SUSE-SU-2025:0545-1
https://notcve.org/view.php?id=CVE-2023-6152
13 Feb 2024 — A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. Un usuario que cambia su correo electrónico después de registrarse y verificarlo puede cambiarlo sin verificación en la configuración del perfil. La opción de configuración "verify_email_enabled" solo validará el correo electrónico al registrarse. This update for grafana and mybatis fixes the following ... • https://github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f • CWE-863: Incorrect Authorization •