Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1037-1 advisory.

    - Security issues fixed:

      - CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled     (bsc#1258136)
      - CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337)
      - CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
      - CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340)
      - CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)

    - Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes:

      - Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and         removed blurred backgrounds from UI overlays to speed up the interface.
      - One-Click Actions: Visualizations now support faster navigation via one-click links and actions.
      - Alerting History: Added version history for alert rules, allowing you to track changes over time.
      - Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon     startup.
      - Cron Support: Annotations now support Cron syntax for more flexible scheduling.
      - Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login     redirection issues         when Grafana is hosted on a subpath.
      - Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend     formatting.
      - Alerting Limits: Added size limits for expanded notification templates to prevent system strain.
      - RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field.
      - Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled     in repeated         rows or nested queries.
      - Dashboard Reliability: Resolved bugs involving row repeats and 'self-referencing' data links.
      - Alerting Fixes: Patched a critical 'panic' (crash) caused by a race condition in alert rules and fixed     issues where         contact points weren't working correctly.
      - URL Handling: Fixed a bug where 'true' values in URL parameters weren't being read correctly

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1013-1 advisory.

    dracut-saltboot:

    - Version update to 1.1.0:

      * Retry DHCP requests up to 3 times (bsc#1253004)

    golang-github-QubitProducts-exporter_exporter:

    - Non-customer-facing optimization and update

    golang-github-boynux-squid_exporter:

    - Version update from 1.6.0 to 1.13.0 with the following highlighted changes and fixes (jsc#PED-14971):

      * Added compatibility for Squid 6 and support for the squid-internal-mgr metrics path
      * Added TLS and Basic Authentication to the exporters web interface
      * Added support for the exporter to authenticate against the Squid proxy itself
      * Allow the gathering of process information without requiring root privileges
      * The exporter can now be configured using environment variables
      * Added support for custom labels to all exported metrics for better data filtering
      * New metrics to track if Squid is running (squid_up), how long a scrape takes, and if any errors     occurred
      * Added 'service time' metrics to analyze proxy speed and performance.
      * Added a metric for open file descriptors (process_open_fds) to help prevent connection bottlenecks
      * Corrected the squid_client_http_requests_total metric to ensure accurate reporting


    golang-github-lusitaniae-apache_exporter:

    - Version update from 1.0.8 to 1.0.10:

      * Updated github.com/prometheus/client_golang to 1.21.1
      * Updated github.com/prometheus/common to 0.63.0
      * Updated github.com/prometheus/exporter-toolkit to 0.14.0
      * Fixed signal handler logging

    golang-github-prometheus-prometheus:

    - Security issues fixed:

      * CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893)
      * CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption     (bsc#1257841)
      * CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897,     bsc#1257442)
      * CVE-2025-13465: Bump lodash package to version 4.17.23 to fix prototype pollution vulnerability     (bsc#1257329)
      * CVE-2025-12816: Interpretation conflict vulnerability allowing bypassing cryptographic verifications     (bsc#1255588)

    - Version update from 2.53.4 to 3.5.0 with the following highlighted changes (jsc#PED-13824):

      * Modernized Interface: Introduced a brand-new UI
      * Enhanced Cloud and Auth: Added unified AWS service discovery (EC2, ECS, Lightsail) and Azure Workload     Identity support         for more secure, native cloudauthentication.
      * Performance Standards: Fully integrated OpenTelemetry (OTLP) ingestion and moved Native Histograms     from experimental         to a stable feature.
      * Advanced Data Export: Rolled out Remote Write 2.0, offering better performance and metadata handling     when sending         data to external systems.
      * Query Power: Added new PromQL functions (like first_over_time and last_over_time) and optimization for     grouping         operations
      * Better Visibility: The UI now displays detailed relabeling steps, scrape intervals, and timeouts,     making it easier         to troubleshoot why targets aren't reporting correctly.
      * Critical Fixes: Resolved significant memory leaks related to query logging and fixed bugs where     targets were         accidentally being scraped multiple times

    grafana:

    - Security issues fixed:

      * CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled     (bsc#1258136)
      * CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337)
      * CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
      * CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340)
      * CVE-2025-3415: Fixedexposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)

    - Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes:

      * Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and         removed blurred backgrounds from UI overlays to speed up the interface
      * One-Click Actions: Visualizations now support faster navigation via one-click links and actions
      * Alerting History: Added version history for alert rules, allowing you to track changes over time
      * Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup
      * Cron Support: Annotations now support Cron syntax for more flexible scheduling
      * Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login     redirection issues         when Grafana is hosted on a subpath
      * Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend     formatting
      * Alerting Limits: Added size limits for expanded notification templates to prevent system strain
      * RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field
      * Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled     in repeated         rows or nested queries
      * Dashboard Reliability: Resolved bugs involving row repeats and 'self-referencing' data links
      * Alerting Fixes: Patched a critical 'panic' (crash) caused by a race condition in alert rules and fixed     issues where         contact points weren't working correctly
      * URL Handling: Fixed a bug where 'true' values in URL parameters weren't being read correctly

    prometheus-blackbox_exporter:

    - Non-customer-facing optimization and update

    spacecmd:

    - Version update to 5.0.15:

      * Fixed typo in spacecmd help ca-cert flag (bsc#1253174)
      * Convert cached IDs to integer values (bsc#1251995)
      * Fixed spacecmd binary file upload (bsc#1253659)

    uyuni-tools:

    - Version update to 0.1.38:

      * Fixed cobbler configuration when migrating to standalone files (bsc#1256803)
      * Detect custom apache and squid config in the /etc/uyuni/proxy folder
      * Add ssh tuning to configure sshd (bsc#1253738)
      * Ignore supportconfig errors (bsc#1255781)
      * Bumped the default image tag to 5.0.7
      * Removed cgroup mount for podman containers (bsc#1253347)
      * Registry flag can be a string (bsc#1254589)
      * Use static supportconfig name to avoid dynamic search (bsc#1257941)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:4482-1 advisory.

    grafana was updated from version 11.5.5 to 11.5.10:

    - Security issues fixed:

      * CVE-2025-64751: Dropped experimental implementation of authorization Zanzana server/client (version     11.5.10)         (bsc#1254113)
      * CVE-2025-47911: Fixed parsing HTML documents (version 11.5.10) (bsc#1251454)
      * CVE-2025-58190: Fixed excessive memory consumption (version 11.5.10) (bsc#1251657)
      * CVE-2025-11065: Fixed sensitive information leak in logs (version 11.5.9) (bsc#1250616)
      * CVE-2025-6023: Fixed cross-site-scripting via scripted dashboards (version 11.5.7) (bsc#1246735)
      * CVE-2025-6197: Fixed open redirect in organization switching (version 11.5.7) (bsc#1246736)
      * CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (version     11.5.6)                        (bsc#1245302)


Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:4458-1 advisory.

    dracut-saltboot:

    - Update to version 1.0.0
      * Reboot on salt key timeout (bsc#1237495)
      * Fixed parsing files with space in the name (bsc#1252100)

    grafana was updated from version 11.5.5 to 11.5.10:

    - Security issues fixed:

      * CVE-2025-47911: Fix parsing HTML documents (bsc#1251454)
      * CVE-2025-58190: Fix excessive memory consumption (bsc#1251657)
      * CVE-2025-64751: Drop experimental implementation of authorization Zanzana server/client                         (bsc#1254113)
      * CVE-2025-11065: Fixed sensitive information leak in logs (version 11.5.9) (bsc#1250616)
      * CVE-2025-6023: Fixed cross-site-scripting via scripted dashboards (version 11.5.7) (bsc#1246735)
      * CVE-2025-6197: Fixed open redirect in organization switching (version 11.5.7) (bsc#1246736)
      * CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (version     11.5.6)                        (bsc#1245302)


Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0596 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2025-1088:
    An access control vulnerability was discovered in Grafana OSS where an Organization administrator could     permanently delete the Server administrator account. This vulnerability exists in the DELETE     /api/org/users/ endpoint.

    The vulnerability can be exploited when:

    1. An Organization administrator exists

    2. The Server administrator is either:

     - Not part of any organization, or
     - Part of the same organization as the Organization administrator     Impact:

    - Organization administrators can permanently delete Server administrator accounts

    - If the only Server administrator is deleted, the Grafana instance becomes unmanageable

    - No super-user permissions remain in the system

    - Affects all users, organizations, and teams managed in the instance

    The vulnerability is particularly serious as it can lead to a complete loss of administrative control over     the Grafana instance.

    CVE-2024-10452:
    Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing     integration was not properly protected and could be exposed to users with Viewer permission.
    Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01,     11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

    CVE-2025-3580:
    In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become     unresponsive due to Improper Input Validation vulnerability in Grafana.
    This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.

    CVE-2025-3415:
    Organization admins can delete pending invites created in an organization they are not part of.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing     integration was not properly protected and could be exposed to users with Viewer permission. Fixed in     versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01,     11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 (CVE-2025-3415)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Grafana Labs installed on the remote host is affected by a vulnerability as referenced in the CVE-2025-3415 advisory. 

  - Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing     integration was not properly protected and could be exposed to users with Viewer permission.     (CVE-2025-3415)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 6548cb01-4c33-11f0-8a97-6c3be5272acd advisory.

    Grafana Labs reports:
    An incident occurred where the DingDing alerting integration URL               was inadvertently exposed to viewers due to a setting oversight,               which we learned about through a bug bounty report.
    The CVSS 3.0 score for this vulnerability is 4.3 (Medium).

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
303789	SUSE SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2026:1037-1)	Nessus	SuSE Local Security Checks	high
303779	SUSE SLES15 / openSUSE 15 : Security update 5.0.7 for Multi-Linux Manager Client Tools (SUSE-SU-2026:1013-1)	Nessus	SuSE Local Security Checks	critical
279356	SUSE SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2025:4482-1)	Nessus	SuSE Local Security Checks	medium
279353	openSUSE 15 : Security update 5.0.6 for Multi-Linux Manager Client Tools (SUSE-SU-2025:4458-1)	Nessus	SuSE Local Security Checks	high
249979	TencentOS Server 4: grafana (TSSA-2025:0596)	Nessus	Tencent Local Security Checks	low
244247	Linux Distros Unpatched Vulnerability : CVE-2025-3415	Nessus	Misc.	medium
242626	Grafana Labs Integration URL Exposed to Viewers (CVE-2025-3415)	Nessus	Web Servers	medium
240187	FreeBSD : Grafana -- DingDing contact points exposed in Grafana Alerting (6548cb01-4c33-11f0-8a97-6c3be5272acd)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2025-3415

medium

Tenable Plugins

high

critical

medium

high

low

medium

medium

high