Github.com/grafana/grafana

This hub aggregates every CVE we track for Github.com/grafana/grafana, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Github.com/grafana/grafana.

• CVE-2025-41115Incorrect privilege assignment10.0Nov 21, 2025
• CVE-2025-6023An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chaine...7.6Jul 18, 2025
• CVE-2025-3415Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixe...4.3Jul 17, 2025
• CVE-2025-1088Very long unicode dashboard title or panel name can hang the frontend2.7Jun 18, 2025
• CVE-2025-3454This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauth...5.0Jun 2, 2025
• CVE-2025-3260A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, ...8.3Jun 2, 2025
• CVE-2025-4123A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a fronten...7.6May 22, 2025
• CVE-2024-11741Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fi...4.3Jan 31, 2025
• CVE-2024-10452Organization admins can delete pending invites created in an organization they are not part of.2.2Oct 29, 2024
• CVE-2024-9264Grafana SQL Expressions allow for remote code execution9.9Oct 18, 2024
• CVE-2024-6322Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as...5.4Aug 20, 2024
• CVE-2024-1313Users outside an organization can delete a snapshot with its key6.5Mar 26, 2024
• CVE-2024-1442User with permissions to create a data source can CRUD all data sources6.0Mar 7, 2024
• CVE-2023-6152A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only ...5.4Feb 13, 2024
• CVE-2023-4822Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in...6.7Oct 16, 2023