24h | 7d | 30d

Overview

  • grafana
  • grafana

20 May 2022
Published
23 Apr 2025
Updated

CVSS v3.1
MEDIUM (6.6)
EPSS
0.14%

KEV

Description

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds.

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

VDE-2026-049
Balluff GmbH: Multiple Vulnerabilities Affecting BNI EGW-720-007-K095 and BAV MA-NC-00025-01

Security advisory for Balluff BNI EGW-720-007-K095 and BAV MA-NC-00025-01 firmware versions prior to 2.4.1. This advisory covers multiple vulnerabilities affecting software components used by the device firmware.
CVE-2025-68121, CVE-2026-1229, CVE-2025-41115, CVE-2025-15467, CVE-2023-3128, CVE-2022-28660, CVE-2022-26148, CVE-2018-15727, CVE-2020-27846, CVE-2024-9264, CVE-2024-1442, CVE-2022-28391, CVE-2022-24812, CVE-2022-23498, CVE-2022-21703, CVE-2022-31097, CVE-2025-61732, CVE-2025-4674, CVE-2022-29170, CVE-2024-56406

certvde.com/en/advisories/vde-

balluff.csaf-tp.certvde.com/.w

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • Pending

21 Mar 2022
Published
03 Aug 2024
Updated

CVSS
Pending
EPSS
15.73%

KEV

Description

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

VDE-2026-049
Balluff GmbH: Multiple Vulnerabilities Affecting BNI EGW-720-007-K095 and BAV MA-NC-00025-01

Security advisory for Balluff BNI EGW-720-007-K095 and BAV MA-NC-00025-01 firmware versions prior to 2.4.1. This advisory covers multiple vulnerabilities affecting software components used by the device firmware.
CVE-2025-68121, CVE-2026-1229, CVE-2025-41115, CVE-2025-15467, CVE-2023-3128, CVE-2022-28660, CVE-2022-26148, CVE-2018-15727, CVE-2020-27846, CVE-2024-9264, CVE-2024-1442, CVE-2022-28391, CVE-2022-24812, CVE-2022-23498, CVE-2022-21703, CVE-2022-31097, CVE-2025-61732, CVE-2025-4674, CVE-2022-29170, CVE-2024-56406

certvde.com/en/advisories/vde-

balluff.csaf-tp.certvde.com/.w

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • Go toolchain
  • cmd/cgo
  • cmd/cgo

05 Feb 2026
Published
30 Jun 2026
Updated

CVSS
Pending
EPSS
0.47%

KEV

Description

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

VDE-2026-049
Balluff GmbH: Multiple Vulnerabilities Affecting BNI EGW-720-007-K095 and BAV MA-NC-00025-01

Security advisory for Balluff BNI EGW-720-007-K095 and BAV MA-NC-00025-01 firmware versions prior to 2.4.1. This advisory covers multiple vulnerabilities affecting software components used by the device firmware.
CVE-2025-68121, CVE-2026-1229, CVE-2025-41115, CVE-2025-15467, CVE-2023-3128, CVE-2022-28660, CVE-2022-26148, CVE-2018-15727, CVE-2020-27846, CVE-2024-9264, CVE-2024-1442, CVE-2022-28391, CVE-2022-24812, CVE-2022-23498, CVE-2022-21703, CVE-2022-31097, CVE-2025-61732, CVE-2025-4674, CVE-2022-29170, CVE-2024-56406

certvde.com/en/advisories/vde-

balluff.csaf-tp.certvde.com/.w

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • Grafana
  • Grafana

18 Oct 2024
Published
14 Mar 2025
Updated

CVSS v4.0
CRITICAL (9.4)
EPSS
97.78%

KEV

Description

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

VDE-2026-049
Balluff GmbH: Multiple Vulnerabilities Affecting BNI EGW-720-007-K095 and BAV MA-NC-00025-01

Security advisory for Balluff BNI EGW-720-007-K095 and BAV MA-NC-00025-01 firmware versions prior to 2.4.1. This advisory covers multiple vulnerabilities affecting software components used by the device firmware.
CVE-2025-68121, CVE-2026-1229, CVE-2025-41115, CVE-2025-15467, CVE-2023-3128, CVE-2022-28660, CVE-2022-26148, CVE-2018-15727, CVE-2020-27846, CVE-2024-9264, CVE-2024-1442, CVE-2022-28391, CVE-2022-24812, CVE-2022-23498, CVE-2022-21703, CVE-2022-31097, CVE-2025-61732, CVE-2025-4674, CVE-2022-29170, CVE-2024-56406

certvde.com/en/advisories/vde-

balluff.csaf-tp.certvde.com/.w

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • OpenSSL
  • OpenSSL

27 Jan 2026
Published
30 Jun 2026
Updated

CVSS
Pending
EPSS
47.62%

KEV

Description

Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

VDE-2026-049
Balluff GmbH: Multiple Vulnerabilities Affecting BNI EGW-720-007-K095 and BAV MA-NC-00025-01

Security advisory for Balluff BNI EGW-720-007-K095 and BAV MA-NC-00025-01 firmware versions prior to 2.4.1. This advisory covers multiple vulnerabilities affecting software components used by the device firmware.
CVE-2025-68121, CVE-2026-1229, CVE-2025-41115, CVE-2025-15467, CVE-2023-3128, CVE-2022-28660, CVE-2022-26148, CVE-2018-15727, CVE-2020-27846, CVE-2024-9264, CVE-2024-1442, CVE-2022-28391, CVE-2022-24812, CVE-2022-23498, CVE-2022-21703, CVE-2022-31097, CVE-2025-61732, CVE-2025-4674, CVE-2022-29170, CVE-2024-56406

certvde.com/en/advisories/vde-

balluff.csaf-tp.certvde.com/.w

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • grafana
  • grafana

12 Apr 2022
Published
28 Jan 2026
Updated

CVSS v3.1
HIGH (8.0)
EPSS
0.20%

KEV

Description

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should. The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned. All installations after Grafana Enterprise v8.1.0-beta1 should be upgraded as soon as possible. As an alternative, disable fine-grained access control will mitigate the vulnerability.

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

VDE-2026-049
Balluff GmbH: Multiple Vulnerabilities Affecting BNI EGW-720-007-K095 and BAV MA-NC-00025-01

Security advisory for Balluff BNI EGW-720-007-K095 and BAV MA-NC-00025-01 firmware versions prior to 2.4.1. This advisory covers multiple vulnerabilities affecting software components used by the device firmware.
CVE-2025-68121, CVE-2026-1229, CVE-2025-41115, CVE-2025-15467, CVE-2023-3128, CVE-2022-28660, CVE-2022-26148, CVE-2018-15727, CVE-2020-27846, CVE-2024-9264, CVE-2024-1442, CVE-2022-28391, CVE-2022-24812, CVE-2022-23498, CVE-2022-21703, CVE-2022-31097, CVE-2025-61732, CVE-2025-4674, CVE-2022-29170, CVE-2024-56406

certvde.com/en/advisories/vde-

balluff.csaf-tp.certvde.com/.w

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • Go standard library
  • crypto/tls
  • crypto/tls

05 Feb 2026
Published
29 Apr 2026
Updated

CVSS
Pending
EPSS
0.76%

KEV

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

VDE-2026-049
Balluff GmbH: Multiple Vulnerabilities Affecting BNI EGW-720-007-K095 and BAV MA-NC-00025-01

Security advisory for Balluff BNI EGW-720-007-K095 and BAV MA-NC-00025-01 firmware versions prior to 2.4.1. This advisory covers multiple vulnerabilities affecting software components used by the device firmware.
CVE-2025-68121, CVE-2026-1229, CVE-2025-41115, CVE-2025-15467, CVE-2023-3128, CVE-2022-28660, CVE-2022-26148, CVE-2018-15727, CVE-2020-27846, CVE-2024-9264, CVE-2024-1442, CVE-2022-28391, CVE-2022-24812, CVE-2022-23498, CVE-2022-21703, CVE-2022-31097, CVE-2025-61732, CVE-2025-4674, CVE-2022-29170, CVE-2024-56406

certvde.com/en/advisories/vde-

balluff.csaf-tp.certvde.com/.w

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • grafana
  • grafana

03 Feb 2023
Published
28 Jan 2026
Updated

CVSS v3.1
HIGH (7.1)
EPSS
0.08%

KEV

Description

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

VDE-2026-049
Balluff GmbH: Multiple Vulnerabilities Affecting BNI EGW-720-007-K095 and BAV MA-NC-00025-01

Security advisory for Balluff BNI EGW-720-007-K095 and BAV MA-NC-00025-01 firmware versions prior to 2.4.1. This advisory covers multiple vulnerabilities affecting software components used by the device firmware.
CVE-2025-68121, CVE-2026-1229, CVE-2025-41115, CVE-2025-15467, CVE-2023-3128, CVE-2022-28660, CVE-2022-26148, CVE-2018-15727, CVE-2020-27846, CVE-2024-9264, CVE-2024-1442, CVE-2022-28391, CVE-2022-24812, CVE-2022-23498, CVE-2022-21703, CVE-2022-31097, CVE-2025-61732, CVE-2025-4674, CVE-2022-29170, CVE-2024-56406

certvde.com/en/advisories/vde-

balluff.csaf-tp.certvde.com/.w

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • Pending

20 May 2022
Published
03 Aug 2024
Updated

CVSS
Pending
EPSS
0.22%

KEV

Description

The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in microservices mode

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

VDE-2026-049
Balluff GmbH: Multiple Vulnerabilities Affecting BNI EGW-720-007-K095 and BAV MA-NC-00025-01

Security advisory for Balluff BNI EGW-720-007-K095 and BAV MA-NC-00025-01 firmware versions prior to 2.4.1. This advisory covers multiple vulnerabilities affecting software components used by the device firmware.
CVE-2025-68121, CVE-2026-1229, CVE-2025-41115, CVE-2025-15467, CVE-2023-3128, CVE-2022-28660, CVE-2022-26148, CVE-2018-15727, CVE-2020-27846, CVE-2024-9264, CVE-2024-1442, CVE-2022-28391, CVE-2022-24812, CVE-2022-23498, CVE-2022-21703, CVE-2022-31097, CVE-2025-61732, CVE-2025-4674, CVE-2022-29170, CVE-2024-56406

certvde.com/en/advisories/vde-

balluff.csaf-tp.certvde.com/.w

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • Grafana
  • Grafana Enterprise

21 Nov 2025
Published
22 Jun 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
17.29%

KEV

Description

SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

VDE-2026-049
Balluff GmbH: Multiple Vulnerabilities Affecting BNI EGW-720-007-K095 and BAV MA-NC-00025-01

Security advisory for Balluff BNI EGW-720-007-K095 and BAV MA-NC-00025-01 firmware versions prior to 2.4.1. This advisory covers multiple vulnerabilities affecting software components used by the device firmware.
CVE-2025-68121, CVE-2026-1229, CVE-2025-41115, CVE-2025-15467, CVE-2023-3128, CVE-2022-28660, CVE-2022-26148, CVE-2018-15727, CVE-2020-27846, CVE-2024-9264, CVE-2024-1442, CVE-2022-28391, CVE-2022-24812, CVE-2022-23498, CVE-2022-21703, CVE-2022-31097, CVE-2025-61732, CVE-2025-4674, CVE-2022-29170, CVE-2024-56406

certvde.com/en/advisories/vde-

balluff.csaf-tp.certvde.com/.w

  • 0
  • 0
  • 0
  • 15h ago
Showing 71 to 80 of 80 CVEs