Vulnerabilities
Vulnerable Software
Grafana:  Security Vulnerabilities
A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard (stored cross-site scripting).
CVSS Score
6.8
EPSS Score
0.002
Published
2026-07-10
An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Grafana instance (denial of service).
CVSS Score
5.3
EPSS Score
0.004
Published
2026-07-10
Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service.
CVSS Score
7.5
EPSS Score
0.004
Published
2026-07-10
The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.
CVSS Score
3.1
EPSS Score
0.001
Published
2026-07-07
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.
CVSS Score
7.5
EPSS Score
0.004
Published
2026-06-22
A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard (stored cross-site scripting).
CVSS Score
7.3
EPSS Score
0.003
Published
2026-06-22
A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information.
CVSS Score
7.7
EPSS Score
0.004
Published
2026-06-22
The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host.
CVSS Score
9.6
EPSS Score
0.002
Published
2026-06-22
A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the configured backend.
CVSS Score
5.4
EPSS Score
0.003
Published
2026-06-22
A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.
CVSS Score
6.5
EPSS Score
0.002
Published
2026-06-19


Contact Us

Shodan ® - All rights reserved