pkg:Go/github.com/grafana/grafana

All known vulnerabilities

• HIGH7.5CVE-2021-43798⚠ KEVGrafana path traversal
  >= 8.3.0, < 8.3.1
• HIGH7.3CVE-2021-39226⚠ KEVSnapshot authentication bypass in grafana
  from 0, < 7.5.11
• CRITICAL10.0Incorrect privilege assignment
  >= 1.9.2-0.20250310110405-e6fdb746f235
• CRITICAL10.0Incorrect privilege assignment
  >= 12.0.0, < 12.0.7
• CRITICAL9.9Grafana SQL Expressions allow for remote code execution
  from 0
• CRITICAL9.9Grafana SQL Expressions allow for remote code execution
  >= 11.0.0, < 11.0.6+security-01
• CRITICAL9.8Grafana vulnerable to race condition allowing privilege escalation
  from 0
• CRITICAL9.8Grafana vulnerable to race condition allowing privilege escalation
  >= 9.2.0, < 9.2.4
• CRITICAL9.8Grafana Authentication Bypass in github.com/grafana/grafana
  from 0, < 4.6.4
• CRITICAL9.8Grafana Authentication Bypass in github.com/grafana/grafana
  from 0, < 4.6.4+incompatible, >= 5.0.0+incompatible, < 5.2.3+incompatible
• CRITICAL9.4Grafana vulnerable to Authentication Bypass by Spoofing
  >= 9.4.0, < 9.4.13
• CRITICAL9.1Cross organization admin control in Grafana
  >= 8.0.0, < 8.2.4
• HIGH8.3Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana
  >= 0.0.0-20250114093457-36d6fad421fb, < 0.0.0-20250521183405-c7a690348df7
• HIGH8.3Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana
  >= 0.0.0-20250114093457-36d6fad421fb
• HIGH8.2Denial of service in Grafana
  >= 6.7.3, < 7.4.2
• HIGH7.6Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana
  from 0
• HIGH7.6Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana
  from 0, < 1.9.2-0.20250521205822-0ba0b99665a9
• HIGH7.6Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana
  from 0
• HIGH7.6Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana
  from 0, < 0.0.0-20250521183405-c7a690348df7
• HIGH7.6Grafana folders admin only permission privilege escalation
  from 0
• HIGH7.6Grafana folders admin only permission privilege escalation
  >= 8.5.0, < 8.5.13
• HIGH7.5Grafana Missing Synchronization vulnerability
  from 0, < 9.4.12
• HIGH7.3Stored XSS in Grafana's Unified Alerting
  from 0
• HIGH7.3Stored XSS in Grafana's Unified Alerting
  >= 9.0.0, < 9.0.3
• HIGH7.1Grafana account takeover via OAuth vulnerability
  from 0
• HIGH7.1Grafana account takeover via OAuth vulnerability
  >= 5.3.0-beta1, < 8.3.10
• MEDIUM6.8XSS in Grafana Explore stack trace
  >= 12.2.0, < 12.2.5
• MEDIUM6.8Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
  >= 5.0.0-beta1, < 8.5.14
• MEDIUM6.8Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
  >= 5.0.0-beta1+incompatible
• MEDIUM6.8Cross site scripting in Grafana proxy
  >= 2.0.0-beta1, < 7.5.15
• MEDIUM6.7Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password
  from 0
• MEDIUM6.7Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password
  >= 9.0.0, < 9.2.4
• MEDIUM6.7Grafana vulnerable to spoofing originalUrl of snapshots
  from 0
• MEDIUM6.7Grafana vulnerable to spoofing originalUrl of snapshots
  >= 9.0.0, < 9.2.8
• MEDIUM6.7Grafana privilege escalation vulnerability
  from 0, <= 10.1.5
• MEDIUM6.6Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin
  >= 9.1.0, < 9.1.6
• MEDIUM6.6Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin
  from 0
• MEDIUM6.5Public dashboards discloses all direct mode datasources
  >= 9.3.0
• MEDIUM6.5Users outside an organization can delete a snapshot with its key
  from 0
• MEDIUM6.5Users outside an organization can delete a snapshot with its key
  >= 9.5.0, < 9.5.18
• MEDIUM6.5Arbitrary file read in github.com/grafana/grafana
  from 0, < 6.4.4
• MEDIUM6.5Arbitrary file read in github.com/grafana/grafana
  from 0
• MEDIUM6.4Grafana contains Improper Input Validation
  from 0
• MEDIUM6.4Grafana contains Improper Input Validation
  >= 8.0.0, < 8.5.15
• MEDIUM6.4Stored XSS in Grafana Text plugin
  >= 9.2.0, < 9.2.10
• MEDIUM6.2Stored XSS in Graphite FunctionDescription tooltip
  >= 8.0.0, < 8.5.22
• MEDIUM6.1Grafana plugin signature bypass vulnerability
  >= 9.0.0, < 9.1.8
• MEDIUM6.1Grafana plugin signature bypass vulnerability
  from 0
• MEDIUM6.1Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana
  from 0, < 5.2.0-beta1+incompatible
• MEDIUM6.1Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana
  from 0, < 5.2.0-beta1
• MEDIUM6.1Grafana XSS via adding a link in General feature in github.com/grafana/grafana
  from 0, < 6.0.0-beta1
• MEDIUM6.1Grafana XSS via adding a link in General feature in github.com/grafana/grafana
  from 0, < 6.0.0-beta1+incompatible
• MEDIUM6.1Grafana XSS in Dashboard Text Panel in github.com/grafana/grafana
  from 0, < 6.0.0-beta1+incompatible
• MEDIUM6.1Grafana XSS in Dashboard Text Panel in github.com/grafana/grafana
  from 0, < 6.0.0-beta1
• MEDIUM6.1Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana
  from 0, < 7.1.0-beta1
• MEDIUM6.1Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana
  from 0
• MEDIUM6.1Grafana XSS via a column style in github.com/grafana/grafana
  from 0
• MEDIUM6.1Grafana XSS via a column style in github.com/grafana/grafana
  from 0, < 7.0.0
• MEDIUM6.1Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana
  from 0, < 7.0.0
• MEDIUM6.1Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana
  from 0
• MEDIUM6.1Grafana XSS in header column rename in github.com/grafana/grafana
  from 0, < 6.7.3
• MEDIUM6.1Grafana XSS in header column rename in github.com/grafana/grafana
  from 0
• MEDIUM6.0User with permissions to create a data source can CRUD all data sources
  from 0
• MEDIUM6.0User with permissions to create a data source can CRUD all data sources
  >= 8.5.0, < 9.5.7
• MEDIUM5.8Server Side Request Forgery in Grafana
  >= 3.0.1, < 6.7.4
• MEDIUM5.5Grafana information disclosure in github.com/grafana/grafana
  from 0
• MEDIUM5.5Grafana information disclosure in github.com/grafana/grafana
  from 0, < 7.2.1
• MEDIUM5.5Grafana world readable configuration files in github.com/grafana/grafana
  from 0
• MEDIUM5.5Grafana world readable configuration files in github.com/grafana/grafana
  >= 6.0.0-beta1, < 7.2.1
• MEDIUM5.4Missing Protected-field Authorization in Provisioning Contact Points API
  from 0, < 1.9.2-0.20260323180334-daffe750de85
• MEDIUM5.4Email Validation Bypass And Preventing Sign Up From Email's Owner
  >= 2.5.0, < 9.5.16
• MEDIUM5.4Grafana vulnerable to Cross-site Scripting
  >= 7.0.0, < 8.5.21
• MEDIUM5.4Grafana vulnerable to Cross-site Scripting
  >= 8.1.0, < 8.5.21
• MEDIUM5.4Grafana stored XSS in github.com/grafana/grafana
  from 0, < 6.7.2
• MEDIUM5.4Grafana stored XSS in github.com/grafana/grafana
  from 0
• MEDIUM5.4Grafana Cross-site Scripting vulnerability
  from 0, < 6.2.5
• MEDIUM5.4Grafana XSS Vulnerability
  from 0, < 5.3.2
• MEDIUM5.0Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana
  >= 0.0.0-20210414170620-dadccdda06e6
• MEDIUM5.0Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana
  >= 0.0.0-20210414170620-dadccdda06e6, < 0.0.0-20250424191517-1f707d16ed5d
• MEDIUM4.9Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
  >= 9.0.0, < 9.1.8
• MEDIUM4.9Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
  from 0
• MEDIUM4.4Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana
  >= 11.1.0, < 11.1.1
• MEDIUM4.4Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana
  from 0
• MEDIUM4.3Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana
  from 0
• MEDIUM4.3Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana
  from 0, < 1.9.2-0.20250514160932-04111e9f2afd
• MEDIUM4.3Grafana Alerting VictorOps integration could be exposed to users with Viewer permission in github.com/grafana/grafana
  >= 11.4.0, < 11.4.1
• MEDIUM4.3Grafana Alerting VictorOps integration could be exposed to users with Viewer permission in github.com/grafana/grafana
  from 0
• MEDIUM4.3Grafana users with email as a username can block other users from signing in
  from 0, < 8.5.14
• MEDIUM4.3Grafana users with email as a username can block other users from signing in
  from 0
• MEDIUM4.3Exposure of Sensitive Information in Grafana
  >= 5.0.0-beta1, < 7.5.15
• MEDIUM4.3Grafana directory traversal for `.cvs` files
  >= 8.0.0-beta3, < 8.3.2
• MEDIUM4.1Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
  from 0, < 8.5.26
• LOW2.7Very long unicode dashboard title or panel name can hang the frontend
  from 0, < 0.0.0-20250521211231-e0ba4b480954, >= 0.0.1-test
• LOW2.7Very long unicode dashboard title or panel name can hang the frontend
  >= 0.0.1-test, < 11.6.2
• LOW2.2Grafana org admin can delete pending invites in different org in github.com/grafana/grafana
  from 0
• LOW2.2Grafana org admin can delete pending invites in different org in github.com/grafana/grafana
  from 0, <= 10.4.0