Known Vulnerabilities for Grafana by Vendor
Listed below are 10 of the newest known vulnerabilities associated with "Grafana" by "Vendor".
These CVEs are retrieved based on exact matches on listed software, hardware, and vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed software information are still displayed.
Data on known vulnerable versions is also displayed based on information from known CPEs
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-33382 json | Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. ... | Not Provided | 2026-07-10 | 2026-07-10 |
| CVE-2026-33380 json | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesys... | Not Provided | 2026-05-13 | 2026-06-12 |
| CVE-2026-28383 json | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body i... | Not Provided | 2026-05-13 | 2026-05-14 |
| CVE-2026-28381 json | The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data so... | Not Provided | 2026-06-22 | 2026-06-24 |
| CVE-2026-28379 json | A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent ... | Not Provided | 2026-05-13 | 2026-05-14 |
| CVE-2026-28376 json | The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request ... | Not Provided | 2026-05-13 | 2026-05-14 |
| CVE-2026-27878 json | A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amou... | Not Provided | 2026-06-19 | 2026-06-23 |
| CVE-2026-27876 json | A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RC... | Not Provided | 2026-03-27 | 2026-06-27 |
| CVE-2026-21727 json | --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.... | Not Provided | 2026-04-15 | 2026-04-20 |
| CVE-2026-21725 json | A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted withou... | Not Provided | 2026-02-25 | 2026-05-10 |