Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

grafana/grafana-enterprise

Source -

CNA

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
4Vulnerabilities found
CVE-2025-41117
Assigner-Grafana Labs
ShareView Details
Assigner-Grafana Labs
CVSS Score-6.8||MEDIUM
EPSS-Not Assigned
Published-12 Feb, 2026 | 08:49
Updated-12 Feb, 2026 | 15:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in Grafana Explore stack trace

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.

Action-Not Available
Vendor-Grafana Labs
Product-grafana/grafana-enterprisegrafana/grafana
CVE-2026-21722
Assigner-Grafana Labs
ShareView Details
Assigner-Grafana Labs
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-12 Feb, 2026 | 08:49
Updated-12 Feb, 2026 | 15:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Public Dashboards time range restriction on annotations can be bypassed

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.

Action-Not Available
Vendor-Grafana Labs
Product-grafana/grafana-enterprisegrafana/grafana
CVE-2026-21721
Assigner-Grafana Labs
ShareView Details
Assigner-Grafana Labs
CVSS Score-8.1||HIGH
EPSS-0.03% / 7.42%
||
7 Day CHG~0.00%
Published-27 Jan, 2026 | 09:07
Updated-12 Feb, 2026 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

Action-Not Available
Vendor-Grafana Labs
Product-grafana/grafana-enterprisegrafana/grafana
CVE-2026-21720
Assigner-Grafana Labs
ShareView Details
Assigner-Grafana Labs
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.25%
||
7 Day CHG~0.00%
Published-27 Jan, 2026 | 09:07
Updated-12 Feb, 2026 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.

Action-Not Available
Vendor-Grafana Labs
Product-grafana/grafana-enterprisegrafana/grafana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-703
Improper Check or Handling of Exceptional Conditions