CVE Database

May 30, 2024CVE-2024-5526Grafana OnCall Webhook SSRF
March 26, 2024CVE-2024-1313Users outside an organization can delete a snapshot with its key
March 7, 2024CVE-2024-1442User with permissions to create a data source can CRUD all data sources
February 14, 2024CVE-2023-5123Improper Path Sanitization in JSON Datasource Plugin
February 14, 2024CVE-2023-5122SSRF in CSV Datasource Plugin
February 13, 2024CVE-2023-6152Email verification is not required after email change
October 12, 2023CVE-2023-4399Grafana Enterprise datasource network restrictions bypass
October 12, 2023CVE-2023-4822Grafana org admins can modify permissions across all orgs
September 19, 2023CVE-2023-4457Google Sheets data source plugin - API key leaks in error messages
June 22, 2023CVE-2023-3128Grafana authentication bypass using Azure AD OAuth
June 8, 2023CVE-2023-3010Grafana WorldMap Panel Plugin DOM XSS
June 6, 2023CVE-2023-2183Broken Access Control in Alert manager
June 6, 2023CVE-2023-2801Grafana ds proxy race condition
April 26, 2023CVE-2023-1387JWT URL-login flow leaks token to data sources through request parameter in proxy requests
March 22, 2023CVE-2023-1410Stored XSS in Graphite FunctionDescription tooltip
February 28, 2023CVE-2023-0594Stored XSS in TraceView Panel
February 28, 2023CVE-2023-22462Text panel plugin XSS
February 28, 2023CVE-2023-0507XSS In Geomap Via Attribution
February 1, 2023CVE-2022-23498Use of Cache Containing Sensitive Information
January 26, 2023CVE-2022-39324Spoofing originalUrl of snapshots
January 26, 2023CVE-2022-23552Stored XSS in ResourcePicker component
November 8, 2022CVE-2022-39306Email addresses and usernames can not be trusted
November 8, 2022CVE-2022-39328Race condition allowing privilege escalation
November 8, 2022CVE-2022-39307User enumeration via forget password
October 12, 2022CVE-2022-39201Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
October 12, 2022CVE-2022-31130Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
October 12, 2022CVE-2022-31123Plugin signature bypass
October 12, 2022CVE-2022-39229Using email as a username can block other users from signing in
September 20, 2022CVE-2022-35957Escalation from admin to server admin when auth proxy is used
September 20, 2022CVE-2022-36062Grafana folders admin only permission privilege escalation
August 30, 2022CVE-2022-31176Grafana Image Renderer leaking files
July 14, 2022CVE-2022-31107Grafana account takeover via OAuth vulnerability
July 14, 2022CVE-2022-31097Stored XSS in Unified Alerting
May 19, 2022CVE-2022-29170Grafana Enterprise datasource network restrictions bypass via HTTP redirects
April 12, 2022CVE-2022-24812Grafana Enterprise fine-grained access control API Key privilege escalation
February 8, 2022CVE-2022-21703Grafana Cross Site Request Forgery
February 8, 2022CVE-2022-21702Grafana proxy XSS
February 8, 2022CVE-2022-21713Grafana Teams API IDOR
January 18, 2022CVE-2022-21673Forward OAuth Identity Token can allow users to access some data sources