Alpine: multiple grafana packages: security update to 12.4.4-r0

high Tenable Cloud Security Plugin ID 443182

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent()
runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which
uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An
Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens
the dashboard. This is a bypass of the CVE-2023-0507 fix (CVE-2026-9029)

- The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input
into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-
configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled
endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate
internal service data via Loki's CallResource which returns full HTTP response bodies. (CVE-2026-10601)

Solution

Update the grafana library and its related packages to version 12.4.4-r0 or later.

Plugin Details

Severity: High

ID: 443182

Version: Revision 1.2

Type: Local

Family: Alpine Linux Local Security Checks

Published: 6/13/2026

Updated: 6/23/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v3

Risk Factor: High

Base Score: 7.7

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2026-42129

Vulnerability Information

Exploit Ease: No known exploits are available

Reference Information

CVE: CVE-2026-10601, CVE-2026-33382, CVE-2026-42127, CVE-2026-42129, CVE-2026-8595, CVE-2026-8609, CVE-2026-9029

Detections

Analytics