132 CVEs

2 in CISA KEV

grafana Vulnerabilities

CVE security advisories and vulnerability history for grafana.

132

Total CVEs

Published

2

In CISA KEV

Exploited in the wild

14

Public exploits

With known exploit

6.4

Avg CVSS

2018–2026

Overview

grafana has 132 published CVE records since 2018, of which 2 are in CISA's Known Exploited Vulnerabilities catalog and 14 have a known public exploit. The average CVSS base score across scored CVEs is 6.4.

This page aggregates every publicly disclosed vulnerability (CVE) affecting grafana products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of grafana's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical10

High28

Medium57

Low5

32 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

2

2 of grafana's CVEs are confirmed exploited in the wild.

Public exploits

14

14 of grafana's CVEs have a known public exploit available.

Most affected products

The grafana products with the most published CVEs.

grafana101 CVEs
github.com/grafana/grafana60 CVEs
Grafana OSS15 CVEs
Grafana Enterprise14 CVEs
fedora10 CVEs
e-series performance analyzer9 CVEs
grafana/grafana4 CVEs
ceph storage4 CVEs

Common weakness types

The CWE weakness categories most often found in grafana CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish grafana CVE records.

Disclosure activity by year

How many grafana CVEs were published each year.

2019

4

2020

14

2021

14

2022

24

2023

15

2024

13

2025

16

2026

28

Latest grafana CVEs

The most recently disclosed vulnerabilities affecting grafana.

IDOR in Annotations API allows unprivileged users to DELETE annotation
CWE-284
Medium · CVSS 4.3
EPSS 0.0%2026-05-13
Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro
CWE-400
Medium · CVSS 6.5
EPSS 0.0%2026-05-13
Grafana plugin resources can lead to unbounded memory allocation
CWE-770
Medium · CVSS 6.5
EPSS 0.0%2026-05-13
Auth Proxy IPv6 whitelist bypass
CWE-1188
High · CVSS 7.4
EPSS 0.0%2026-05-13
SQL Expressions Read File From Disk
CWE-552
Medium · CVSS 6.3
EPSS 0.0%2026-05-13
BAC in Snapshot API allows deletion of unauthorized dashboard snapshots
CWE-862
Medium · CVSS 6.5
EPSS 0.0%2026-05-13
Users can generate Service Account tokens after permissions removal
CWE-284
Medium · CVSS 5.9
EPSS 0.0%2026-05-13
Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin
CWE-284
High · CVSS 7.1
EPSS 0.0%2026-05-13
Grafana Live push endpoint allows unbounded memory allocation leading to OOM
CWE-770
Medium · CVSS 6.5
EPSS 0.0%2026-05-13
Viewer-triggered race condition in Grafana Live leads to complete server crash
CWE-362
Medium · CVSS 6.5
EPSS 0.0%2026-05-13
Tempo query limit results in unbounded memory allocation
CWE-400
High · CVSS 7.5
EPSS 0.0%2026-04-24
Loki Path Traversal - CVE-2021-36156 Bypass
CWE-22
Medium · CVSS 5.3
EPSS 0.0%2026-04-15

Track new grafana CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor grafana CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

microsoft24,097 CVEs Linux19,131 CVEs google14,281 CVEs apple14,019 CVEs oracle10,440 CVEs debian10,201 CVEs IBM8,265 CVEs Adobe7,222 CVEs

Browse all vendors

Frequently asked questions

Common questions about grafana vulnerabilities.

How many CVEs does grafana have?

grafana has 132 published CVE records since 2018, including 44 in the last two years.

How many grafana CVEs are in CISA KEV?

Yes — 2 of grafana's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which grafana products have the most CVEs?

The grafana products with the most published CVEs are grafana, github.com/grafana/grafana, Grafana OSS, Grafana Enterprise, fedora.

What are the most common weakness types in grafana CVEs?

grafana's CVEs most often map to these CWE weakness types: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')), CWE-863 (Incorrect Authorization).

Are there public exploits for grafana vulnerabilities?

Yes — 14 of grafana's CVEs have a known public exploit.

How many critical grafana vulnerabilities are there?

grafana has 10 critical and 28 high-severity CVEs.

What is the average severity of grafana CVEs?

The average CVSS base score across grafana's scored CVEs is 6.4.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track grafana vulnerabilities

Monitor new grafana vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing