| Date | CVE | Title |
|---|
| August 4, 2025 | CVE-2025-8341 | SSRF in Infinity Datasource Plugin |
| July 18, 2025 | CVE-2025-6023 | Grafana Cross-Site-Scripting (XSS) via scripted dashboards |
| July 18, 2025 | CVE-2025-6197 | Grafana Open Redirect in Organization Switching |
| July 17, 2025 | CVE-2025-3415 | Grafana Alerting DingDing Integration URL Exposed to Viewers |
| June 17, 2025 | CVE-2025-1088 | Very long unicode dashboard title or panel name can hang the frontend |
| June 2, 2025 | CVE-2025-3454 | Authorization Bypass in Datasource Proxy |
| June 2, 2025 | CVE-2025-3260 | Authorization vulnerability in /apis allows authenticated users to bypass all dashboard permissions |
| May 22, 2025 | CVE-2025-3580 | Organization admin can delete server admin in Grafana |
| May 21, 2025 | CVE-2025-4123 | Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin |
| April 23, 2025 | CVE-2025-2703 | XSS in Grafana XY Chart Plugin |
| January 31, 2025 | CVE-2024-11741 | Grafana Alerting VictorOps integration exposed to Viewers |
| November 12, 2024 | CVE-2024-9476 | Privilege escalation vulnerability for Organizations in Grafana |
| October 28, 2024 | CVE-2024-10452 | Org admins can delete pending invites in different org |
| October 17, 2024 | CVE-2024-9264 | Grafana SQL Expressions allow for remote code execution |
| September 26, 2024 | CVE-2024-8118 | Grafana alerting wrong permission on datasource rule write endpoint |
| September 25, 2024 | CVE-2024-8996 | Grafana Agent flow mode unquoted service path |
| September 25, 2024 | CVE-2024-8975 | Grafana Alloy unquoted service path |
| September 19, 2024 | CVE-2024-8986 | Information Leakage in grafana-plugin-sdk-go |
| July 23, 2024 | CVE-2024-6322 | Grafana plugins route actions are not scoped to instance |
| May 30, 2024 | CVE-2024-5526 | Grafana OnCall Webhook SSRF |
| March 26, 2024 | CVE-2024-1313 | Users outside an organization can delete a snapshot with its key |
| March 7, 2024 | CVE-2024-1442 | User with permissions to create a data source can CRUD all data sources |
| February 14, 2024 | CVE-2023-5123 | Improper Path Sanitization in JSON Datasource Plugin |
| February 14, 2024 | CVE-2023-5122 | SSRF in CSV Datasource Plugin |
| February 13, 2024 | CVE-2023-6152 | Email verification is not required after email change |
| October 12, 2023 | CVE-2023-4399 | Grafana Enterprise datasource network restrictions bypass |
| October 12, 2023 | CVE-2023-4822 | Grafana org admins can modify permissions across all orgs |
| September 19, 2023 | CVE-2023-4457 | Google Sheets data source plugin - API key leaks in error messages |
| June 22, 2023 | CVE-2023-3128 | Grafana authentication bypass using Azure AD OAuth |
| June 8, 2023 | CVE-2023-3010 | Grafana WorldMap Panel Plugin DOM XSS |
| June 6, 2023 | CVE-2023-2183 | Broken Access Control in Alert manager |
| June 6, 2023 | CVE-2023-2801 | Grafana ds proxy race condition |
| April 26, 2023 | CVE-2023-1387 | JWT URL-login flow leaks token to data sources through request parameter in proxy requests |
| March 22, 2023 | CVE-2023-1410 | Stored XSS in Graphite FunctionDescription tooltip |
| February 28, 2023 | CVE-2023-0594 | Stored XSS in TraceView Panel |
| February 28, 2023 | CVE-2023-22462 | Text panel plugin XSS |
| February 28, 2023 | CVE-2023-0507 | XSS In Geomap Via Attribution |
| February 1, 2023 | CVE-2022-23498 | Use of Cache Containing Sensitive Information |
| January 26, 2023 | CVE-2022-39324 | Spoofing originalUrl of snapshots |
| January 26, 2023 | CVE-2022-23552 | Stored XSS in ResourcePicker component |
| November 8, 2022 | CVE-2022-39306 | Email addresses and usernames can not be trusted |
| November 8, 2022 | CVE-2022-39328 | Race condition allowing privilege escalation |
| November 8, 2022 | CVE-2022-39307 | User enumeration via forget password |
| October 12, 2022 | CVE-2022-39201 | Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins |
| October 12, 2022 | CVE-2022-31130 | Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins |
| October 12, 2022 | CVE-2022-31123 | Plugin signature bypass |
| October 12, 2022 | CVE-2022-39229 | Using email as a username can block other users from signing in |
| September 20, 2022 | CVE-2022-35957 | Escalation from admin to server admin when auth proxy is used |
| September 20, 2022 | CVE-2022-36062 | Grafana folders admin only permission privilege escalation |
| August 30, 2022 | CVE-2022-31176 | Grafana Image Renderer leaking files |
| July 14, 2022 | CVE-2022-31107 | Grafana account takeover via OAuth vulnerability |
| July 14, 2022 | CVE-2022-31097 | Stored XSS in Unified Alerting |
| May 19, 2022 | CVE-2022-29170 | Grafana Enterprise datasource network restrictions bypass via HTTP redirects |
| April 12, 2022 | CVE-2022-24812 | Grafana Enterprise fine-grained access control API Key privilege escalation |
| February 8, 2022 | CVE-2022-21703 | Grafana Cross Site Request Forgery |
| February 8, 2022 | CVE-2022-21702 | Grafana proxy XSS |
| February 8, 2022 | CVE-2022-21713 | Grafana Teams API IDOR |
| January 18, 2022 | CVE-2022-21673 | Forward OAuth Identity Token can allow users to access some data sources |
