Viewer-triggered race condition in Grafana Live leads to complete server crash

Users can generate Service Account tokens after permissions removal

SQL Expressions Read File From Disk

IDOR in Annotations API allows unprivileged users to DELETE annotation

Grafana plugin resources can lead to unbounded memory allocation

Grafana Live push endpoint allows unbounded memory allocation leading to OOM

Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro

Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin

BAC in Snapshot API allows deletion of unauthorized dashboard snapshots

Auth Proxy IPv6 whitelist bypass