Common Vulnerabilities and Exposures (CVE)

CVE-2026-4325

Apr 7, 2026 11:27:36 UTC

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of con...

CVE-2026-4282

Apr 7, 2026 11:27:33 UTC

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can ...

CVE-2026-5342

Apr 7, 2026 11:27:04 UTC

A flaw has been found in LibRaw up to 0.22.0. This affects the function LibRaw::nikon_load_padded_packed_raw of the file src/decoders/decoders_libraw.cpp of the component TIFF/NEF. Executing a manipulation of the argument load_flags/raw_wid...

CVE-2026-5318

Apr 7, 2026 11:26:57 UTC

A weakness has been identified in LibRaw up to 0.22.0. This impacts the function HuffTable::initval of the file src/decompressors/losslessjpeg.cpp of the component JPEG DHT Parser. This manipulation of the argument bits[] causes out-of-boun...

CVE-2026-31842

Apr 7, 2026 11:17:33 UTC

Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value ...

CVE-2025-14831

Apr 7, 2026 11:09:20 UTC

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and...

CVE-2026-4420

Apr 7, 2026 10:46:19 UTC

Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating functionality. An authenticated attacker with page creation privileges (such as Author, Editor, or Administrator) can embed a malicious JavaScript payload in the...

CVE-2026-21725

Apr 7, 2026 10:32:20 UTC

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin ...

CVE-2026-21724

Apr 7, 2026 10:32:19 UTC

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protec...

CVE-2026-27879

Apr 7, 2026 10:32:18 UTC

A resample query can be used to trigger out-of-memory crashes in Grafana.

CVE-2026-28377

Apr 7, 2026 10:32:17 UTC

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goo...

CVE-2026-21721

Apr 7, 2026 10:32:16 UTC

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other...

CVE-2026-27877

Apr 7, 2026 10:32:15 UTC

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be convert...

CVE-2026-27880

Apr 7, 2026 10:32:13 UTC

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

CVE-2026-33375

Apr 7, 2026 10:32:12 UTC

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.