Vulnerability Reportgrafana/grafana:13.0.3

grafana/grafana:13.0grafana/grafana:13.0.3
DIGESTsha256:1a345428a36270f5fb9add69fea71450a5843c15266c99359d6d380470ab19c9

Executive Summary

Last scanned:

Threat Score
25/100NEEDS ATTENTION
Reputation
TRUSTED

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. Two denial-of-service vulnerabilities were found: CVE-2026-42504 (remote CPU exhaustion via crafted MIME headers) and CVE-2026-33630 (use-after-free in DNS resolution). Both are remotely exploitable but limited to denial of service, with no impact on data confidentiality or integrity. The image is from a trusted, verified publisher and has no post-exploit findings; updating the affected packages (stdlib, c-ares) is advised.

Vulnerabilities

Vulnerability Log

53 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2026-42504MEDIUM6.38
stdlib
v1.26.3
fixed in 1.25.11, 1.26.4
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-33630MEDIUM6
c-ares
1.34.6-r0
fixed in 1.34.8-r0
Directly ExposedContext importance: MEDIUM
CVE-2026-27145MEDIUM5.1
stdlib
v1.26.3
fixed in 1.25.11, 1.26.4
0.9%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-8927LOW3.82
curl
8.20.0-r1
fixed in 8.21.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-8932LOW3.82
curl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-9079LOW3.82
curl
8.20.0-r1
fixed in 8.21.0-r0
0.8%
Theoretical Threat
Post-Exploit
CVE-2026-9545LOW3.82
curl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-9546LOW3.82
curl
8.20.0-r1
fixed in 8.21.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-8927LOW3.82
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-8932LOW3.82
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-9079LOW3.82
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.8%
Theoretical Threat
Post-Exploit
CVE-2026-9545LOW3.82
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-9546LOW3.82
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-9547LOW3.77
curl
8.20.0-r1
fixed in 8.21.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-9547LOW3.77
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-9080LOW3.72
curl
8.20.0-r1
fixed in 8.21.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-9080LOW3.72
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-48096LOW3.6
github.com/openfga/openfga
v1.14.2
fixed in 1.16.0
0.1%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-42507LOW3.6
stdlib
v1.26.3
fixed in 1.25.11, 1.26.4
0.4%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-11564LOW3.31
curl
8.20.0-r1
fixed in 8.21.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-11856LOW3.31
curl
8.20.0-r1
fixed in 8.21.0-r0
0.8%
Theoretical Threat
Post-Exploit
CVE-2026-8924LOW3.31
curl
8.20.0-r1
fixed in 8.21.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-11564LOW3.31
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-11856LOW3.31
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.8%
Theoretical Threat
Post-Exploit
CVE-2026-8924LOW3.31
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-8286LOW2.48
curl
8.20.0-r1
fixed in 8.21.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-8925LOW2.48
curl
8.20.0-r1
fixed in 8.21.0-r0
0.8%
Theoretical Threat
Post-Exploit
CVE-2026-8286LOW2.48
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-8925LOW2.48
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.8%
Theoretical Threat
Post-Exploit
CVE-2026-8926LOW2.45
curl
8.20.0-r1
fixed in 8.21.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-8926LOW2.45
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-10536LOW2.4
curl
8.20.0-r1
fixed in 8.21.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-10536LOW2.4
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-11352LOW2.29
curl
8.20.0-r1
fixed in 8.21.0-r0
0.8%
Theoretical Threat
Post-Exploit
CVE-2026-11586LOW2.29
curl
8.20.0-r1
fixed in 8.21.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-12064LOW2.29
curl
8.20.0-r1
fixed in 8.21.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-11352LOW2.29
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.8%
Theoretical Threat
Post-Exploit
CVE-2026-11586LOW2.29
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-12064LOW2.29
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-21728LOW2.29
github.com/grafana/tempo
v1.5.1-0.20251027222923-cbe5f845dc7b
fixed in 2.8.4, 2.9.2, 2.10.2
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-42151LOW2.29
github.com/prometheus/prometheus
v0.305.3
fixed in 0.311.3
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-28377LOW1.99
github.com/grafana/tempo
v1.5.1-0.20251027222923-cbe5f845dc7b
fixed in 2.10.3
0.2%
Theoretical Threat
Post-Exploit
CVE-2026-40179LOW1.87
github.com/prometheus/prometheus
v0.305.3
fixed in 0.311.2-0.20260410083055-07c6232d159b
0.2%
Theoretical Threat
Post-Exploit
CVE-2026-44903LOW1.87
github.com/prometheus/prometheus
v0.305.3
fixed in 0.311.3
0.2%
Theoretical Threat
Post-Exploit
CVE-2026-8458NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.4%
Theoretical Threat
Not Applicable
CVE-2026-8458NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.4%
Theoretical Threat
Not Applicable
CVE-2026-55689NONE0
github.com/openfga/openfga
v1.14.2
fixed in 1.18.0
Not Applicable
CVE-2026-55170NONE0
github.com/openfga/openfga
v1.14.2
fixed in 1.18.0
Not Applicable
GO-2026-5932NONE0
golang.org/x/crypto
v0.52.0
No fix yet
Not Applicable
CVE-2026-39822NONE0
stdlib
v1.26.4
fixed in 1.25.12, 1.26.5, 1.27.0-rc.2
Not Applicable
CVE-2026-42505NONE0
stdlib
v1.26.4
fixed in 1.25.12, 1.26.5, 1.27.0-rc.2
Not Applicable
CVE-2026-39822NONE0
stdlib
v1.26.3
fixed in 1.25.12, 1.26.5, 1.27.0-rc.2
Not Applicable
CVE-2026-42505NONE0
stdlib
v1.26.3
fixed in 1.25.12, 1.26.5, 1.27.0-rc.2
Not Applicable

Want to check another image? Run a full scan with the Docker Security Scanner.