Common Vulnerabilities and Exposures (CVE)

CVE-2026-27876

Apr 9, 2026 13:49:27 UTC

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future at...

CVE-2026-2377

Apr 9, 2026 13:49:27 UTC

A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by providing a specially crafted web address (URL). This allows the application's backend to make arbitrary requests to internal network resources, ...

CVE-2026-21720

Apr 9, 2026 13:49:26 UTC

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutin...

CVE-2026-21722

Apr 9, 2026 13:49:26 UTC

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those o...

CVE-2026-28375

Apr 9, 2026 13:49:25 UTC

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

CVE-2025-41117

Apr 9, 2026 13:49:24 UTC

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jae...

CVE-2025-41115

Apr 9, 2026 13:49:24 UTC

SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provis...

CVE-2026-39891

Apr 9, 2026 13:49:10 UTC

PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed direc...

CVE-2026-30079

Apr 9, 2026 13:47:21 UTC

In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegi...

CVE-2026-5831

Apr 9, 2026 13:45:17 UTC

A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impacts an unknown function of the file src/mcp/server/handlers.ts of the component terminal_execute. Performing a manipulation results in os command injection. The...

CVE-2025-62818

Apr 9, 2026 13:44:57 UTC

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. An out-of-...

CVE-2025-52909

Apr 9, 2026 13:42:45 UTC

An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow...

CVE-2026-39860

Apr 9, 2026 13:42:36 UTC

Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi...

CVE-2026-40027

Apr 9, 2026 13:41:25 UTC

ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a database directly as the output filename, a...

CVE-2026-5836

Apr 9, 2026 13:37:58 UTC

A vulnerability has been found in code-projects Online Shoe Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_product.php. The manipulation of the argument product_name leads to cross site scripting. T...