Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Untriaged
Filter by:
With package: grafanaPlugins.grafana-discourse-datasource

Found 52 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-27880
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 days, 13 hours ago
OpenFeature evaluation API reads input data with no bounds

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

References

Affected products

Grafana
  • <v12.1.10
  • <v12.3.6
  • <v12.4.2
  • <v12.2.8

Matching in nixpkgs

Permalink CVE-2026-28375
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 days, 13 hours ago
Grafana Testdata datasource can issue unbounded memory allocations

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

References

Affected products

Grafana
  • <v12.3.6
  • <v12.2.8
  • <v12.4.2
  • <v12.1.10
  • <v11.6.14

Matching in nixpkgs

Permalink CVE-2026-27879
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 days, 13 hours ago
Query resampling can cause unbounded memory allocations

A resample query can be used to trigger out-of-memory crashes in Grafana.

References

Affected products

Grafana
  • <v12.3.6
  • <v12.2.8
  • <v12.4.2
  • <v12.1.10
  • <v11.6.14

Matching in nixpkgs

Permalink CVE-2026-27877
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 days, 13 hours ago
Public dashboards discloses all direct mode datasources

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

References

Affected products

Grafana
  • <v12.3.6
  • <v12.2.8
  • <v12.4.2
  • <v12.1.10
  • <v11.6.14

Matching in nixpkgs

Permalink CVE-2026-33291
created 1 week, 2 days ago
Discourse user can create Zendesk tickets even when it does not have access to topic

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators can create Zendesk tickets for topics they do not have access to view. This affects all forums that use the Zendesk plugin. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-27935
created 1 week, 3 days ago
Discourse leaks private topic metadata to non-authorized users

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-33394
2.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 week, 3 days ago
Discourse leaks PM post edits to moderators

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-27491
created 1 week, 3 days ago
Discourse has a bypass of official warnings messages by non-staff users

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the attacker to be a logged-in user and to send a specifically crafted request. No data exposure or privilege escalation beyond the ability to create unauthorized user warnings was possible. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-33355
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 week, 3 days ago
Discourse filters whisper posts from private-posts feed

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-32099
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 week, 3 days ago
Discourse prevents hidden profile data leak via user onebox

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, when a user has `hide_profile` enabled, their bio, location, and website were still exposed through the user onebox preview. An authenticated user could request a onebox for a hidden user's profile URL and receive their hidden profile fields (bio, location, website) in the response. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Package maintainers