Search criteria
4 vulnerabilities found for grafana/grafana-enterprise by Grafana
CVE-2025-41117 (GCVE-0-2025-41117)
Vulnerability from cvelistv5 – Published: 2026-02-12 08:49 – Updated: 2026-02-13 04:56
VLAI?
Title
XSS in Grafana Explore stack trace
Summary
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.
Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
Severity ?
6.8 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana |
Affected:
12.2.0 , < 12.2.4+security-01
(semver)
Affected: 12.3.0 , < 12.3.2+security-01 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41117",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T04:56:29.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-12T07:13:06.000Z",
"descriptions": [
{
"lang": "en",
"value": "Stack traces in Grafana\u0027s Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.\n\nOnly datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T13:00:22.993Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-41117"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "XSS in Grafana Explore stack trace",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-41117",
"datePublished": "2026-02-12T08:49:08.545Z",
"dateReserved": "2025-04-16T09:19:26.443Z",
"dateUpdated": "2026-02-13T04:56:29.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21722 (GCVE-0-2026-21722)
Vulnerability from cvelistv5 – Published: 2026-02-12 08:49 – Updated: 2026-02-12 14:24
VLAI?
Title
Public Dashboards time range restriction on annotations can be bypassed
Summary
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.
This did not leak any annotations that would not otherwise be visible on the public dashboard.
Severity ?
5.3 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana |
Affected:
9.3.0 , < 11.6.10+security-01
(semver)
Affected: 12.0.0 , < 12.1.6+security-01 (semver) Affected: 12.2.0 , < 12.2.4+security-01 (semver) Affected: 12.3.0 , < 12.3.2+security-01 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T14:24:06.337064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T14:24:22.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.10+security-01",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.6+security-01",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.10+security-01",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.6+security-01",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.4+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.2+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-12T07:13:06.000Z",
"descriptions": [
{
"lang": "en",
"value": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T13:00:21.310Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21722"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Public Dashboards time range restriction on annotations can be bypassed",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21722",
"datePublished": "2026-02-12T08:49:05.678Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-02-12T14:24:22.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21721 (GCVE-0-2026-21721)
Vulnerability from cvelistv5 – Published: 2026-01-27 09:07 – Updated: 2026-02-12 13:00
VLAI?
Title
Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
Summary
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
Severity ?
8.1 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana |
Affected:
12.3.0 , < 12.3.1
(semver)
|
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T04:55:18.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-01-27T09:05:28.422Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/markdown",
"value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
}
],
"value": "The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization\u2011internal privilege escalation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T13:00:20.718Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21721"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Dashboard Permissions Scope Bypass Enables Cross\u2011Dashboard Privilege Escalation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21721",
"datePublished": "2026-01-27T09:07:55.160Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-02-12T13:00:20.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21720 (GCVE-0-2026-21720)
Vulnerability from cvelistv5 – Published: 2026-01-27 09:07 – Updated: 2026-02-12 13:00
VLAI?
Title
Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
Summary
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Grafana | grafana/grafana-enterprise |
Affected:
3.0.0 , < 11.6.9
(semver)
|
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21720",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T14:28:02.795937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T14:29:08.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.9",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.8",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.1.5",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.2.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana-enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-01-27T09:03:09.893Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/markdown",
"value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
}
],
"value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T13:00:20.088Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21720"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21720",
"datePublished": "2026-01-27T09:07:04.758Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-02-12T13:00:20.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}