SUSE-SU-2026:2258-1
Vulnerability from csaf_suse - Published: 2026-06-03 14:22 - Updated: 2026-06-03 14:22Summary
Security update for grafana
Severity
Moderate
Notes
Title of the patch: Security update for grafana
Description of the patch: This update for grafana to version to 11.6.14+security01 fixes the following issues:
- Security Fixes:
- CVE-2026-34986: Fixed unrecoverable error in JWE decryption that could lead to a denial of service (bsc#1262950)
- CVE-2026-41602: Fixed Integer Overflow or Wraparound vulnerability in Apache Thrift (bsc#1263501)
- CVE-2026-26958: Ensure that MultiScalarMult properly handles initialization and produces correct results
(bsc#1258595)
- CVE-2026-21725: Fixed missing UID when deleting datasource by name (bsc#1258873)
- CVE-2026-33375: Fixed denial of Service via out-of-memory exhaustion in MSSQL data source plugin (bsc#1260881)
- CVE-2026-27876: Fixed remote arbitrary code execution via chained SQL Expressions (bsc#1261025)
- CVE-2026-27877: Fixed information disclosure of data-source passwords via public dashboards (bsc#1261026)
- CVE-2026-28375: Fixed denial of service via testdata data-source (bsc#1261029)
- CVE-2026-27879: Fixed denial of service via resample query (bsc#1261027)
- CVE-2026-33186: Fixed authorization bypass due to improper validation of the HTTP/2 :path pseudo-header
(bsc#1260263)
- CVE-2026-21724: Fixed authorization bypass allows modification of protected webhook URLs (bsc#1260878)
- Highlights of other changes and bug fixes:
- Version 11.6.13:
- Wire the public dashboard service to the HTTP server
- Version 11.6.12:
- Update authentication redirect logic
- Fixed single panel render with variable references
Patchnames: SUSE-2026-2258,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2258
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
9.1 (Critical)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
52 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for grafana",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for grafana to version to 11.6.14+security01 fixes the following issues:\n\n- Security Fixes:\n\n - CVE-2026-34986: Fixed unrecoverable error in JWE decryption that could lead to a denial of service (bsc#1262950)\n - CVE-2026-41602: Fixed Integer Overflow or Wraparound vulnerability in Apache Thrift (bsc#1263501)\n - CVE-2026-26958: Ensure that MultiScalarMult properly handles initialization and produces correct results \n (bsc#1258595)\n - CVE-2026-21725: Fixed missing UID when deleting datasource by name (bsc#1258873)\n - CVE-2026-33375: Fixed denial of Service via out-of-memory exhaustion in MSSQL data source plugin (bsc#1260881)\n - CVE-2026-27876: Fixed remote arbitrary code execution via chained SQL Expressions (bsc#1261025)\n - CVE-2026-27877: Fixed information disclosure of data-source passwords via public dashboards (bsc#1261026)\n - CVE-2026-28375: Fixed denial of service via testdata data-source (bsc#1261029)\n - CVE-2026-27879: Fixed denial of service via resample query (bsc#1261027)\n - CVE-2026-33186: Fixed authorization bypass due to improper validation of the HTTP/2 :path pseudo-header\n (bsc#1260263)\n - CVE-2026-21724: Fixed authorization bypass allows modification of protected webhook URLs (bsc#1260878)\n\n- Highlights of other changes and bug fixes:\n\n - Version 11.6.13:\n\n - Wire the public dashboard service to the HTTP server\n\n - Version 11.6.12:\n\n - Update authentication redirect logic\n - Fixed single panel render with variable references\n\n ",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-2258,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2258",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_2258-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:2258-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262258-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:2258-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047070.html"
},
{
"category": "self",
"summary": "SUSE Bug 1258595",
"url": "https://bugzilla.suse.com/1258595"
},
{
"category": "self",
"summary": "SUSE Bug 1258873",
"url": "https://bugzilla.suse.com/1258873"
},
{
"category": "self",
"summary": "SUSE Bug 1259999",
"url": "https://bugzilla.suse.com/1259999"
},
{
"category": "self",
"summary": "SUSE Bug 1260263",
"url": "https://bugzilla.suse.com/1260263"
},
{
"category": "self",
"summary": "SUSE Bug 1260878",
"url": "https://bugzilla.suse.com/1260878"
},
{
"category": "self",
"summary": "SUSE Bug 1260881",
"url": "https://bugzilla.suse.com/1260881"
},
{
"category": "self",
"summary": "SUSE Bug 1261025",
"url": "https://bugzilla.suse.com/1261025"
},
{
"category": "self",
"summary": "SUSE Bug 1261026",
"url": "https://bugzilla.suse.com/1261026"
},
{
"category": "self",
"summary": "SUSE Bug 1261027",
"url": "https://bugzilla.suse.com/1261027"
},
{
"category": "self",
"summary": "SUSE Bug 1261029",
"url": "https://bugzilla.suse.com/1261029"
},
{
"category": "self",
"summary": "SUSE Bug 1262950",
"url": "https://bugzilla.suse.com/1262950"
},
{
"category": "self",
"summary": "SUSE Bug 1263501",
"url": "https://bugzilla.suse.com/1263501"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-29923 page",
"url": "https://www.suse.com/security/cve/CVE-2025-29923/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21724 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21724/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21725 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21725/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-26958 page",
"url": "https://www.suse.com/security/cve/CVE-2026-26958/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27876 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27876/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27877 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27877/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27879 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27879/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-28375 page",
"url": "https://www.suse.com/security/cve/CVE-2026-28375/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33375 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33375/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41602 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41602/"
}
],
"title": "Security update for grafana",
"tracking": {
"current_release_date": "2026-06-03T14:22:06Z",
"generator": {
"date": "2026-06-03T14:22:06Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:2258-1",
"initial_release_date": "2026-06-03T14:22:06Z",
"revision_history": [
{
"date": "2026-06-03T14:22:06Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security01-150200.3.88.1.aarch64",
"product": {
"name": "grafana-11.6.14+security01-150200.3.88.1.aarch64",
"product_id": "grafana-11.6.14+security01-150200.3.88.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"product": {
"name": "grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"product_id": "grafana-11.6.14+security01-150200.3.88.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security01-150200.3.88.1.s390x",
"product": {
"name": "grafana-11.6.14+security01-150200.3.88.1.s390x",
"product_id": "grafana-11.6.14+security01-150200.3.88.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security01-150200.3.88.1.x86_64",
"product": {
"name": "grafana-11.6.14+security01-150200.3.88.1.x86_64",
"product_id": "grafana-11.6.14+security01-150200.3.88.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security01-150200.3.88.1.aarch64 as component of SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64"
},
"product_reference": "grafana-11.6.14+security01-150200.3.88.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security01-150200.3.88.1.ppc64le as component of SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le"
},
"product_reference": "grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security01-150200.3.88.1.s390x as component of SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x"
},
"product_reference": "grafana-11.6.14+security01-150200.3.88.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security01-150200.3.88.1.x86_64 as component of SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
},
"product_reference": "grafana-11.6.14+security01-150200.3.88.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-29923",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-29923"
}
],
"notes": [
{
"category": "general",
"text": "go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-29923",
"url": "https://www.suse.com/security/cve/CVE-2025-29923"
},
{
"category": "external",
"summary": "SUSE Bug 1241152 for CVE-2025-29923",
"url": "https://bugzilla.suse.com/1241152"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "low"
}
],
"title": "CVE-2025-29923"
},
{
"cve": "CVE-2026-21724",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21724"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21724",
"url": "https://www.suse.com/security/cve/CVE-2026-21724"
},
{
"category": "external",
"summary": "SUSE Bug 1260878 for CVE-2026-21724",
"url": "https://bugzilla.suse.com/1260878"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "moderate"
}
],
"title": "CVE-2026-21724"
},
{
"cve": "CVE-2026-21725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21725"
}
],
"notes": [
{
"category": "general",
"text": "A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.\n\nThis requires several very stringent conditions to be met:\n\n- The attacker must have admin access to the specific datasource prior to its first deletion.\n- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.\n- The attacker must delete the datasource, then someone must recreate it.\n- The new datasource must not have the attacker as an admin.\n- The new datasource must have the same UID as the prior datasource. These are randomised by default.\n- The datasource can now be re-deleted by the attacker.\n- Once 30 seconds are up, the attack is spent and cannot be repeated.\n- No datasource with any other UID can be attacked.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21725",
"url": "https://www.suse.com/security/cve/CVE-2026-21725"
},
{
"category": "external",
"summary": "SUSE Bug 1258873 for CVE-2026-21725",
"url": "https://bugzilla.suse.com/1258873"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "low"
}
],
"title": "CVE-2026-21725"
},
{
"cve": "CVE-2026-26958",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-26958"
}
],
"notes": [
{
"category": "general",
"text": "filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-26958",
"url": "https://www.suse.com/security/cve/CVE-2026-26958"
},
{
"category": "external",
"summary": "SUSE Bug 1258570 for CVE-2026-26958",
"url": "https://bugzilla.suse.com/1258570"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "moderate"
}
],
"title": "CVE-2026-26958"
},
{
"cve": "CVE-2026-27876",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27876"
}
],
"notes": [
{
"category": "general",
"text": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable.\n\nOnly instances in the following version ranges are affected:\n\n- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.\n- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.\n- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.\n- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.\n- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27876",
"url": "https://www.suse.com/security/cve/CVE-2026-27876"
},
{
"category": "external",
"summary": "SUSE Bug 1261025 for CVE-2026-27876",
"url": "https://bugzilla.suse.com/1261025"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "critical"
}
],
"title": "CVE-2026-27876"
},
{
"cve": "CVE-2026-27877",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27877"
}
],
"notes": [
{
"category": "general",
"text": "When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27877",
"url": "https://www.suse.com/security/cve/CVE-2026-27877"
},
{
"category": "external",
"summary": "SUSE Bug 1261026 for CVE-2026-27877",
"url": "https://bugzilla.suse.com/1261026"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "important"
}
],
"title": "CVE-2026-27877"
},
{
"cve": "CVE-2026-27879",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27879"
}
],
"notes": [
{
"category": "general",
"text": "A resample query can be used to trigger out-of-memory crashes in Grafana.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27879",
"url": "https://www.suse.com/security/cve/CVE-2026-27879"
},
{
"category": "external",
"summary": "SUSE Bug 1261027 for CVE-2026-27879",
"url": "https://bugzilla.suse.com/1261027"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "moderate"
}
],
"title": "CVE-2026-27879"
},
{
"cve": "CVE-2026-28375",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-28375"
}
],
"notes": [
{
"category": "general",
"text": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-28375",
"url": "https://www.suse.com/security/cve/CVE-2026-28375"
},
{
"category": "external",
"summary": "SUSE Bug 1261029 for CVE-2026-28375",
"url": "https://bugzilla.suse.com/1261029"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "moderate"
}
],
"title": "CVE-2026-28375"
},
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-33375",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33375"
}
],
"notes": [
{
"category": "general",
"text": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33375",
"url": "https://www.suse.com/security/cve/CVE-2026-33375"
},
{
"category": "external",
"summary": "SUSE Bug 1260881 for CVE-2026-33375",
"url": "https://bugzilla.suse.com/1260881"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "moderate"
}
],
"title": "CVE-2026-33375"
},
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
},
{
"cve": "CVE-2026-41602",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41602"
}
],
"notes": [
{
"category": "general",
"text": "Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41602",
"url": "https://www.suse.com/security/cve/CVE-2026-41602"
},
{
"category": "external",
"summary": "SUSE Bug 1263496 for CVE-2026-41602",
"url": "https://bugzilla.suse.com/1263496"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.6.14+security01-150200.3.88.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T14:22:06Z",
"details": "important"
}
],
"title": "CVE-2026-41602"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…