From nobody Tue May 26 13:06:30 2026 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gPtLN2T61z6fmwH for ; Tue, 26 May 2026 13:06:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gPtLN0JDlz3grs for ; Tue, 26 May 2026 13:06:36 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779800796; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pm50QAfE4uQILm9R5c6c4UhwNGFRw9dUkj6jWDpGBeg=; b=gITs358cOrFu+PxUQM4fQXR4jmiI2y+zMo+VrgtD8VZZKnGgyqs7kXC1U1nIeK4Nrqxi+m XW4n2z5XO5rKevi3XSWofUDjgC13ZtSwgzNFoGP7dtff2WyN61mklchPFNO9dQ/mAxqhdR q71R3fd2X4RpTYdPcOyjEV/cqTGOU80VmCqB0qQuGVkhZ+jF7GLnBmDMXDRebjNqu+6yIV 9u1J+hnlpIhBWsnaPcsUuz5pcpVInTFoWzOnym//vHP7oXYJbClEGWM5Ot4dh0lrfmre+4 Lyxt8rFPhkJNmwTed+VjRT18fXRuP3Rr2Pt0/c6ziuHXPCiDMJCg6eF1PsOu3g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779800796; a=rsa-sha256; cv=none; b=SYFim6hOPGPjqXCJsJg25A0OkUhmBaZV0Z1hsr3Lo/MA8Cy5SRaOG5/Nvta3li+h3NXpGz EiO9vbqyJj6LKGGFZuaFxRPdB8OcrIFp8/q04bQvyy3nFB1Jld1SHaP6Pcm9w8CgWlHXS9 FApd/Gh8iloF0d2W+mPJCxYgE7EwrNjJ4dGnzIqVJ+t4KotmggPuYgvXjP/FdE1VIz27ti 1KY+lTs/BGy34E2jCYl1xLOcvBZ31SLuhgYy9k1OlWGp1Fq+17Lj2VC6L2G/35q/1iBJ4H sDxb6yyE5kMZOJ4vGavenIOcftamLRuAqR9krN/zUs81C9hrXnWoOnqZAcoScA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779800796; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pm50QAfE4uQILm9R5c6c4UhwNGFRw9dUkj6jWDpGBeg=; b=EahLV04fJ5GAj3hTJoebiayo5PvVIFwBI9jCf6mq9JKvlk/LJCBIo7ueM46S66Ts7PhMuH bMN8Z0qKcLymO9NENXemv++YapvdN7MAhHHqxRIUN92zjw2g+fTn66OwDnZAXMUHqBvXgG V+q7LlyvhylyPfch3LlLtCS84BppSJB1M9QJBhGKNVz9m3hbL5dv879H+NoTKGyehBx/Np dR+IcUJkEfb1NEX1r+5gTnldiwPLJLyvyQe1e3GRiz4D6Xb4ZfPJiqy+FxNLRwSu0Y/1bw M7AbggsQQwYUSbE8A/b4VxOlfptqjVUeJJ8yWBOBfw8Er3ctZC74+XxrPbth0Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gPtLM6M1wz1RB6 for ; Tue, 26 May 2026 13:06:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 46918 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 26 May 2026 13:06:30 +0000 To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Cc: Boris Korzun From: Yusuf Yaman Subject: git: 9bfe0d3977bd - main - security/vuxml: Add www/grafana vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: nxjoseph X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9bfe0d3977bd2e863bf86482ee0e2382d0b90487 Auto-Submitted: auto-generated Date: Tue, 26 May 2026 13:06:30 +0000 Message-Id: <6a159ad6.46918.1b047e32@gitrepo.freebsd.org> The branch main has been updated by nxjoseph: URL: https://cgit.FreeBSD.org/ports/commit/?id=9bfe0d3977bd2e863bf86482ee0e2382d0b90487 commit 9bfe0d3977bd2e863bf86482ee0e2382d0b90487 Author: Boris Korzun AuthorDate: 2026-05-26 12:58:35 +0000 Commit: Yusuf Yaman CommitDate: 2026-05-26 13:06:04 +0000 security/vuxml: Add www/grafana vulnerabilities - XSS in Grafana Explore stack trace (CVE-2025-41117) - Public Dashboards time range restriction on annotations can be bypassed (CVE-2026-21722) - RCE on Grafana via sqlExpressions (CVE-2026-27876) - Public dashboards discloses all direct mode datasources (CVE-2026-27877) - Query resampling can cause unbounded memory allocations (CVE-2026-27879) - OpenFeature evaluation API reads input data with no bounds (CVE-2026-27880) - Grafana Testdata datasource can issue unbounded memory allocations (CVE-2026-28375) - Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS (CVE-2026-33375) PR: 294105 Reported by: Boris Korzun --- security/vuxml/vuln/2026.xml | 263 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 263 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 5c17e3a20c0d..8b1de1c59a8d 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,266 @@ + + Grafana -- Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS + + + grafana + 11.6.011.6.14 + 12.1.012.1.10 + 12.2.012.2.8 + 12.3.012.3.6 + 12.4.012.4.2 + + + + +

https://grafana.com/security/security-advisories/cve-2026-33375 reports:

+
+

The Grafana MSSQL data source plugin contains a logic flaw that + allows a low-privileged user (Viewer) to bypass API restrictions + and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, + crashing the host container.

+
+ + + + CVE-2026-33375 + https://cveawg.mitre.org/api/cve/CVE-2026-33375 + + + 2026-03-26 + 2026-05-26 + + + + + Grafana -- Grafana Testdata datasource can issue unbounded memory allocations + + + grafana + 8.1.011.6.14 + 12.0.012.1.10 + 12.2.012.2.8 + 12.3.012.3.6 + 12.4.012.4.2 + + + + +

https://grafana.com/security/security-advisories/cve-2026-28375 reports:

+
+

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

+
+ + + + CVE-2026-28375 + https://cveawg.mitre.org/api/cve/CVE-2026-28375 + + + 2026-03-27 + 2026-05-26 + + + + + Grafana -- OpenFeature evaluation API reads input data with no bounds + + + grafana + 12.1.012.1.10 + 12.2.012.2.8 + 12.3.012.3.6 + 12.4.012.4.2 + + + + +

https://grafana.com/security/security-advisories/cve-2026-27880 reports:

+
+

The OpenFeature feature toggle evaluation endpoint reads unbounded + values into memory, which can cause out-of-memory crashes.

+
+ + + + CVE-2026-27880 + https://cveawg.mitre.org/api/cve/CVE-2026-27880 + + + 2026-03-27 + 2026-05-26 + + + + + Grafana -- Query resampling can cause unbounded memory allocations + + + grafana + 8.0.011.6.14 + 12.0.012.1.10 + 12.2.012.2.8 + 12.3.012.3.6 + 12.4.012.4.2 + + + + +

https://grafana.com/security/security-advisories/cve-2026-27879 reports:

+
+

A resample query can be used to trigger out-of-memory crashes in Grafana.

+
+ + + + CVE-2026-27879 + https://cveawg.mitre.org/api/cve/CVE-2026-27879 + + + 2026-03-27 + 2026-05-26 + + + + + Grafana -- Public dashboards discloses all direct mode datasources + + + grafana + 9.3.011.6.14 + 12.0.012.1.10 + 12.2.012.2.8 + 12.3.012.3.6 + 12.4.012.4.2 + + + + +

https://grafana.com/security/security-advisories/cve-2026-27877 reports:

+
+

When using public dashboards and direct data-sources, all direct + data-sources' passwords are exposed despite not being used in dashboards. + + No passwords of proxied data-sources are exposed. We encourage all + direct data-sources to be converted to proxied data-sources as far + as possible to improve your deployments' security.

+
+ + + + CVE-2026-27877 + https://cveawg.mitre.org/api/cve/CVE-2026-27877 + + + 2026-03-27 + 2026-05-26 + + + + + Grafana -- RCE on Grafana via sqlExpressions + + + grafana + 11.6.011.6.14 + 12.0.012.1.10 + 12.2.012.2.8 + 12.3.012.3.6 + 12.4.012.4.2 + + + + +

https://grafana.com/security/security-advisories/cve-2026-27876 reports:

+
+

A chained attack via SQL Expressions and a Grafana Enterprise plugin + can lead to a remote arbitrary code execution impact (RCE). This + is enabled by a feature in Grafana (OSS), so all users are always + recommended to update to avoid future attack vectors going this + path. + + Only instances with the sqlExpressions feature toggle enabled are + vulnerable.

+
+ + + + CVE-2026-27876 + https://cveawg.mitre.org/api/cve/CVE-2026-27876 + + + 2026-03-27 + 2026-05-26 + + + + + Grafana -- Public Dashboards time range restriction on annotations can be bypassed + + + grafana + 9.3.011.6.10 + 12.0.012.1.6 + 12.2.012.2.4 + 12.3.012.3.2 + + + + +

https://grafana.com/security/security-advisories/cve-2026-21722 reports:

+
+

Public dashboards with annotations enabled did not limit their + annotation timerange to the locked timerange of the public dashboard. + This means one could read the entire history of annotations visible + on the specific dashboard, even those outside the locked timerange. + + This did not leak any annotations that would not otherwise be visible + on the public dashboard.

+
+ + + + CVE-2026-21722 + https://cveawg.mitre.org/api/cve/CVE-2026-21722 + + + 2026-02-12 + 2026-05-26 + + + + + Grafana -- XSS in Grafana Explore stack trace + + + grafana + 12.2.012.2.4 + 12.3.012.3.2 + + + + +

https://grafana.com/security/security-advisories/cve-2025-41117 reports:

+
+

Stack traces in Grafana's Explore Traces view can be rendered as + raw HTML, and thus inject malicious JavaScript in the browser. This + would require malicious JavaScript to be entered into the stack + trace field. + + Only datasources with the Jaeger HTTP API appear to be affected; + Jaeger gRPC and Tempo do not appear affected whatsoever.

+
+ + + + CVE-2025-41117 + https://cveawg.mitre.org/api/cve/CVE-2025-41117 + + + 2026-02-12 + 2026-05-26 + + + jellyfin -- multiple vulnerabilities