VulnerableCode Package Details - pkg:rpm/redhat/grafana@9.0.9-8?arch=el9

Search for packages

Vulnerability	Summary	Fixed by
VCID-7y8a-8can-nba1 Aliases: CVE-2025-22871 GHSA-g9pc-8g42-g6vq	RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.	There are no reported fixed by versions.
VCID-ss32-rtp3-zufc Aliases: CVE-2025-4123 GHSA-q53q-gxq9-mgrj	Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-7y8a-8can-nba1
Aliases:
CVE-2025-22871
GHSA-g9pc-8g42-g6vq

RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

There are no reported fixed by versions.

VCID-ss32-rtp3-zufc
Aliases:
CVE-2025-4123
GHSA-q53q-gxq9-mgrj

Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-02T08:58:40.742075+00:00	RedHat Importer	Affected by	VCID-7y8a-8can-nba1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22871.json	38.6.0
2026-04-10T08:23:05.396730+00:00	RedHat Importer	Affected by	VCID-7y8a-8can-nba1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22871.json	38.1.0
2026-04-01T13:41:04.977065+00:00	RedHat Importer	Affected by	VCID-7y8a-8can-nba1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22871.json	38.0.0
2026-04-01T13:40:12.432682+00:00	RedHat Importer	Affected by	VCID-ss32-rtp3-zufc	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4123.json	38.0.0