Vulnerability-Lookup

CVE-2026-28375 (GCVE-0-2026-28375)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:26 – Updated: 2026-04-15 19:25

Title

Grafana Testdata datasource can issue unbounded memory allocations

Summary

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GRAFANA

References

URL

	Vendor	Product	Version
	Grafana	Grafana	Affected: 8.1.0 , < 11.6.14 (semver) Affected: 12.0.0 , < 12.1.10 (semver) Affected: 12.2.0 , < 12.2.8 (semver) Affected: 12.3.0 , < 12.3.6 (semver) Affected: 12.4.0 , < 12.4.2 (semver)

FKIE_CVE-2026-28375

Vulnerability from fkie_nvd - Published: 2026-03-27 15:16 - Updated: 2026-03-31 18:15

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

References

	URL	Tags
	security@grafana.com	https://grafana.com/security/security-advisories/cve-2026-28375	Vendor Advisory

Impacted products

Vendor	Product	Version
grafana	grafana	*
grafana	grafana	*
grafana	grafana	*
grafana	grafana	*
grafana	grafana	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D7C388A-A7A0-4ED2-B0D4-3D9440B59F17",
              "versionEndExcluding": "8.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5845D5E9-8631-4F0B-B100-24DCDE4C8C1F",
              "versionEndExcluding": "12.0.0",
              "versionStartIncluding": "11.6.14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AE3F977F-FF94-4A15-918C-54241EC49560",
              "versionEndExcluding": "12.2.0",
              "versionStartIncluding": "12.1.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB499815-0B44-4BF9-AB14-F7272EF0173F",
              "versionEndExcluding": "12.3.0",
              "versionStartIncluding": "12.2.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F2B145A-24E0-4C0F-BF82-FFD2B1301B51",
              "versionEndExcluding": "12.4.0",
              "versionStartIncluding": "12.3.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana."
    }
  ],
  "id": "CVE-2026-28375",
  "lastModified": "2026-03-31T18:15:45.243",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security@grafana.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-27T15:16:51.547",
  "references": [
    {
      "source": "security@grafana.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://grafana.com/security/security-advisories/cve-2026-28375"
    }
  ],
  "sourceIdentifier": "security@grafana.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

bit-grafana-2026-28375

Vulnerability from bitnami_vulndb

Published

2026-04-01 08:41

Modified

2026-04-08 09:14

Summary

Grafana Testdata datasource can issue unbounded memory allocations

Details

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "grafana",
        "purl": "pkg:bitnami/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.1.0"
            },
            {
              "fixed": "11.6.14"
            },
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.1.10"
            },
            {
              "introduced": "12.2.0"
            },
            {
              "fixed": "12.2.8"
            },
            {
              "introduced": "12.3.0"
            },
            {
              "fixed": "12.3.6"
            },
            {
              "introduced": "12.4.0"
            },
            {
              "fixed": "12.4.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28375"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
      "cpe:2.3:a:grafana:grafana:*:*:*:*:*:go:*:*"
    ],
    "severity": "Medium"
  },
  "details": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana.",
  "id": "BIT-grafana-2026-28375",
  "modified": "2026-04-08T09:14:18.943Z",
  "published": "2026-04-01T08:41:15.363Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://grafana.com/security/security-advisories/cve-2026-28375"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28375"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "Grafana Testdata datasource can issue unbounded memory allocations"
}

GHSA-MP76-5XHH-VXVC

Vulnerability from github – Published: 2026-03-27 15:30 – Updated: 2026-03-27 15:30

Details

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-28375"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-27T15:16:51Z",
    "severity": "MODERATE"
  },
  "details": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana.",
  "id": "GHSA-mp76-5xhh-vxvc",
  "modified": "2026-03-27T15:30:25Z",
  "published": "2026-03-27T15:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28375"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/security/security-advisories/cve-2026-28375"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

SUSE-SU-2026:1524-1

Vulnerability from csaf_suse - Published: 2026-04-21 09:26 - Updated: 2026-04-21 09:26

Summary

Security update 5.1.3 for Multi-Linux Manager Client Tools

Severity

Critical

Notes

Title of the patch: Security update 5.1.3 for Multi-Linux Manager Client Tools

Description of the patch: This update fixes the following issues: golang-github-lusitaniae-apache_exporter: - Internal changes to fix build issues with no impact for customers golang-github-prometheus-prometheus: - Security issues fixed: * CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893) + Bumped rollup to version 4.59.0 * CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841) + Bumped brace-expansion to version 5.0.2 * CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442) * CVE-2025-13465: Bumped lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329) * CVE-2026-33186: Fixed authorization bypass due to improper validation of the HTTP/2 :path pseudo-header (bsc#1260267) + Bumped google.golang.org/grpc to version 1.79.3 grafana: - Security issues fixed: * CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136) * CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337) * CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349) * CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (bsc#1245302) * CVE-2026-26958: Bumped filippo.io/edwards25519 to version 1.1.1 (bsc#1258595) * CVE-2026-21725: Fixed missing UID when deleting datasource by name (bsc#1258873) * CVE-2026-21725: Fixed missing UID when deleting datasource by name (bsc#1258873) * CVE-2026-27876: Fixed remote arbitrary code execution via chained SQL Expressions (bsc#1261025) * CVE-2026-27877: Fixed information disclosure of data-source passwords via public dashboards (bsc#1261026) * CVE-2026-28375: Fixed denial of service via testdata data-source (bsc#1261029) * CVE-2026-27879: Fixed denial of service via resample query (bsc#1261027) * CVE-2026-33186: Fixed authorization bypass due to improper validation of the HTTP/2 :path pseudo-header (bsc#1260263) * CVE-2026-21724: Fixed authorization bypass allows modification of protected webhook URLs (bsc#1260878) - Version update from 11.5.10 to 11.6.14+security01 with the following highlighted changes and fixes: * Public Dashboards: Wired the public dashboard service to the HTTP server to ensure proper connectivity and availability * Authentication: Refined the redirect logic to ensure consistent behavior during login and logout sequences * Dashboard Reliability: Resolved a bug preventing single panels from rendering correctly when dashboard variables are referenced * Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and removed blurred backgrounds from UI overlays to speed up the interface * One-Click Actions: Visualizations now support faster navigation via one-click links and actions * Alerting History: Added version history for alert rules, allowing you to track changes over time * Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup * Cron Support: Annotations now support Cron syntax for more flexible scheduling * Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues when Grafana is hosted on a subpath * Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting * Alerting Limits: Added size limits for expanded notification templates to prevent system strain * RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field * Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated rows or nested queries * Dashboard Reliability: + Fixed bugs involving row repeats and 'self-referencing' data links + Fixed a bug preventing single panels from rendering correctly when dashboard variables are referenced * Alerting Fixes: Patched a critical 'panic' (crash) caused by a race condition in alert rules and fixed issues where contact points weren't working correctly * URL Handling: Fixed a bug where 'true' values in URL parameters weren't being read correctly prometheus-blackbox_exporter: - Internal changes to fix build issues with no impact for customers spacecmd: - Version 5.1.13-0 * Update translation strings uyuni-tools: - Version 5.1.26-0 * Fixed applying PTF with images from RPMs (bsc#1252548) * Ssl Key file can miss if CA password is blank (bsc#1254154) * mgrpxy ssh tuning should happens before crypto policies (bsc#1254619) * Fixed default value for helm registry (bsc#1258927). * Remove hub register command * Optimize postgres migration disk space usage (bsc#1257447) * Added continuous database backup support (bsc#1250367) * Explicitly start proxy pods after operations (bsc#1258015) * Use static supportconfig name to avoid dynamic search (bsc#1257941) * Do not nest multiple tarball files and instead collect all files into one tarball (bsc#1252964) * Show where final tarball was generated (bsc#1259208) * Set proxy config file permissions (bsc#1257660) - Version 5.1.25-0 * If PTF image doesn't exists, use the current service image (bsc#1258418)

Patchnames: SUSE-2026-1524,SUSE-MultiLinuxManagerTools-SLE-15-2026-1524,SUSE-MultiLinuxManagerTools-SLE-Micro-5-2026-1524

CVE-2025-13465

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H