[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2021-43798":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T02:55:30.529Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":40,"aliases":80,"duplicate_of":9,"upstream":83,"downstream":84,"duplicates":111,"related":112,"reserved_at":9,"published_at":125,"modified_at":126,"state":127,"summary":128,"references_raw":138,"kevs":206,"epss":217,"epss_history":220,"metrics":412,"affected":427},"CVE-2021-43798","Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `\u003Cgrafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-22","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.","weakness","Stable","Base","High",[20,24,28,32,36],{"id":21,"name":22,"techniques":23},"CAPEC-126","Path Traversal",[],{"id":25,"name":26,"techniques":27},"CAPEC-64","Using Slashes and URL Encoding Combined to Bypass Validation Logic",[],{"id":29,"name":30,"techniques":31},"CAPEC-76","Manipulating Web Input to File System Calls",[],{"id":33,"name":34,"techniques":35},"CAPEC-78","Using Escaped Slashes in Alternate Encoding",[],{"id":37,"name":38,"techniques":39},"CAPEC-79","Using Slashes in Alternate Encoding",[],[41,50,63],{"_key":42,"name":43,"source":44,"url":45,"maturity":46,"reliability_score":47,"verified":48,"type":9,"platforms":49,"requires_auth":9,"exploitdb":9,"metasploit":9},"REF_303EE58D28C275D6","Exploit Reference (packetstormsecurity.com)","reference","http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html","unknown",0.2,false,[],{"_key":51,"name":52,"source":53,"url":54,"maturity":55,"reliability_score":56,"verified":48,"type":9,"platforms":57,"requires_auth":9,"exploitdb":59,"metasploit":9},"50581","Grafana 8.3.0 - Directory Traversal and Arbitrary File Read","exploit-database","https://www.exploit-db.com/exploits/50581","poc",0.5,[58],"multiple",{"verified":48,"type":60,"platform":58,"file":61,"codes":62},"webapps","exploits/multiple/webapps/50581.py",[7],{"_key":64,"name":65,"source":66,"url":67,"maturity":55,"reliability_score":56,"verified":48,"type":68,"platforms":69,"requires_auth":48,"exploitdb":9,"metasploit":70},"MSF_AUXILIARY_SCANNER_HTTP_GRAFANA_PLUGIN_TRAVERSAL","Grafana Plugin Path Traversal","metasploit","https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb","remote",[],{"fullname":71,"rank":72,"rank_name":73,"post_auth":48,"check":48,"notes":74},"auxiliary/scanner/http/grafana_plugin_traversal",300,"normal",{"Stability":75,"SideEffects":77,"Reliability":79},[76],"crash-safe",[78],"ioc-in-logs",[],[81,82],"GHSA-8pjx-jj86-j47p","BIT-grafana-2021-43798",[],[85,87,89,91,93,95,97,99,101,103,105,107,109],{"_key":86},"UBUNTU-CVE-2021-43798",{"_key":88},"SUSE-SU-2024:0487-1",{"_key":90},"SUSE-SU-2022:2134-1",{"_key":92},"SUSE-SU-2022:3676-1",{"_key":94},"SUSE-SU-2022:4439-1",{"_key":96},"SUSE-SU-2024:0191-1",{"_key":98},"SUSE-SU-2024:0196-1",{"_key":100},"SUSE-SU-2024:0486-1",{"_key":102},"SUSE-FU-2022:1419-1",{"_key":104},"SUSE-SU-2022:1396-1",{"_key":106},"SUSE-SU-2022:4428-1",{"_key":108},"SUSE-SU-2022:4437-1",{"_key":110},"OPENSUSE-SU-2024:11816-1",[],[113,114,115,116,117,118,119,120,121,122,123,124],{"_key":88},{"_key":90},{"_key":92},{"_key":94},{"_key":96},{"_key":98},{"_key":100},{"_key":102},{"_key":104},{"_key":106},{"_key":108},{"_key":110},"2021-12-07T18:25:10.000Z","2025-10-21T23:25:24.009Z","Analyzed",{"cisa_kev":129,"cisa_ransomware":48,"cisa_vendor":130,"epss_severity":131,"epss_score":132,"severity":133,"severity_score":134,"severity_version":135,"severity_source":136,"severity_vector":137,"severity_status":127},true,"Grafana Labs","critical",0.94438,"high",7.5,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",[139,149,155,160,164,168,174,178,182,188,193,198,202],{"url":140,"sources":141,"tags":144},"https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p",[136,142,143],"nvd","osv_go",[145,146,147,148],"X Refsource CONFIRM","Patch","Vendor Advisory","WEB",{"url":150,"sources":151,"tags":152},"https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce",[136,142,143],[153,146,154,148],"X Refsource MISC","Third Party Advisory",{"url":156,"sources":157,"tags":158},"http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html",[136,142,143],[153,154,159,148],"VDB Entry",{"url":161,"sources":162,"tags":163},"https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/",[136,142],[145,147],{"url":45,"sources":165,"tags":166},[136,142,143],[153,167,154,159,148],"Exploit",{"url":169,"sources":170,"tags":171},"http://www.openwall.com/lists/oss-security/2021/12/09/2",[136,142,143],[172,173,146,154,148],"Mailing List","X Refsource MLIST",{"url":175,"sources":176,"tags":177},"http://www.openwall.com/lists/oss-security/2021/12/10/4",[136,142,143],[172,173,146,154,148],{"url":179,"sources":180,"tags":181},"https://security.netapp.com/advisory/ntap-20211229-0004/",[136,142],[145,154],{"url":183,"sources":184,"tags":185},"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43798",[136,142,143],[186,187,148],"Government Resource","US Government Resource",{"url":189,"sources":190,"tags":191},"https://nvd.nist.gov/vuln/detail/CVE-2021-43798",[143],[192],"Advisory",{"url":194,"sources":195,"tags":196},"https://github.com/grafana/grafana",[143],[197],"PACKAGE",{"url":199,"sources":200,"tags":201},"https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal",[143],[148],{"url":203,"sources":204,"tags":205},"https://security.netapp.com/advisory/ntap-20211229-0004",[143],[148],[207],{"source":208,"vendor":130,"product":209,"date_added":210,"vulnerability_name":211,"short_description":212,"required_action":213,"due_date":214,"known_ransomware_campaign_use":215,"notes":216,"exploitation_type":9},"cisa","Grafana","2025-10-09","Grafana Path Traversal Vulnerability","Grafana contains a path traversal vulnerability that could allow access to local files.","Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","2025-10-30","Unknown","https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ ; https://nvd.nist.gov/vuln/detail/CVE-2021-43798",{"date":218,"score":132,"percentile":219},"2026-06-04",0.99989,[221,224,226,228,230,232,234,236,238,240,242,244,246,248,250,254,256,258,261,263,266,268,270,272,274,276,278,280,284,287,289,291,293,295,297,299,301,303,305,307,309,311,313,315,317,319,321,323,325,327,329,331,333,335,339,341,343,345,347,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,382,384,386,388,390,392,394,396,398,400,402,404,406,408,410],{"date":222,"score":132,"percentile":223},"2025-11-04",0.99987,{"date":225,"score":132,"percentile":223},"2025-11-05",{"date":227,"score":132,"percentile":223},"2025-11-06",{"date":229,"score":132,"percentile":223},"2025-11-07",{"date":231,"score":132,"percentile":223},"2025-11-08",{"date":233,"score":132,"percentile":223},"2025-11-09",{"date":235,"score":132,"percentile":223},"2025-11-10",{"date":237,"score":132,"percentile":223},"2025-11-11",{"date":239,"score":132,"percentile":223},"2025-11-12",{"date":241,"score":132,"percentile":223},"2025-11-13",{"date":243,"score":132,"percentile":223},"2025-11-14",{"date":245,"score":132,"percentile":223},"2025-11-15",{"date":247,"score":132,"percentile":223},"2025-11-16",{"date":249,"score":132,"percentile":223},"2025-11-17",{"date":251,"score":252,"percentile":253},"2025-11-18",0.9381,0.99907,{"date":255,"score":252,"percentile":253},"2025-11-19",{"date":257,"score":252,"percentile":253},"2025-11-20",{"date":259,"score":132,"percentile":260},"2025-11-21",0.99985,{"date":262,"score":132,"percentile":260},"2025-11-22",{"date":264,"score":132,"percentile":265},"2025-11-23",0.99986,{"date":267,"score":132,"percentile":265},"2025-11-24",{"date":269,"score":132,"percentile":265},"2025-11-25",{"date":271,"score":132,"percentile":265},"2025-11-26",{"date":273,"score":132,"percentile":265},"2025-11-27",{"date":275,"score":132,"percentile":265},"2025-11-28",{"date":277,"score":132,"percentile":265},"2025-11-29",{"date":279,"score":132,"percentile":265},"2025-11-30",{"date":281,"score":282,"percentile":283},"2025-12-01",0.94422,0.99979,{"date":285,"score":282,"percentile":286},"2025-12-02",0.9998,{"date":288,"score":282,"percentile":286},"2025-12-03",{"date":290,"score":132,"percentile":265},"2025-12-04",{"date":292,"score":132,"percentile":265},"2025-12-05",{"date":294,"score":132,"percentile":265},"2025-12-06",{"date":296,"score":132,"percentile":223},"2025-12-07",{"date":298,"score":132,"percentile":223},"2025-12-08",{"date":300,"score":132,"percentile":223},"2025-12-09",{"date":302,"score":132,"percentile":223},"2025-12-10",{"date":304,"score":132,"percentile":223},"2025-12-11",{"date":306,"score":132,"percentile":265},"2025-12-12",{"date":308,"score":132,"percentile":223},"2025-12-13",{"date":310,"score":132,"percentile":223},"2025-12-14",{"date":312,"score":132,"percentile":265},"2025-12-15",{"date":314,"score":132,"percentile":265},"2025-12-16",{"date":316,"score":132,"percentile":265},"2025-12-17",{"date":318,"score":132,"percentile":260},"2025-12-18",{"date":320,"score":132,"percentile":260},"2025-12-19",{"date":322,"score":132,"percentile":265},"2025-12-20",{"date":324,"score":132,"percentile":265},"2025-12-21",{"date":326,"score":132,"percentile":265},"2025-12-22",{"date":328,"score":132,"percentile":265},"2025-12-23",{"date":330,"score":132,"percentile":223},"2025-12-24",{"date":332,"score":132,"percentile":223},"2025-12-25",{"date":334,"score":132,"percentile":223},"2025-12-26",{"date":336,"score":337,"percentile":338},"2025-12-27",0.94415,0.99977,{"date":340,"score":132,"percentile":223},"2025-12-28",{"date":342,"score":132,"percentile":223},"2025-12-29",{"date":344,"score":132,"percentile":223},"2025-12-30",{"date":346,"score":132,"percentile":223},"2025-12-31",{"date":348,"score":282,"percentile":349},"2026-01-01",0.99981,{"date":351,"score":282,"percentile":349},"2026-01-02",{"date":353,"score":282,"percentile":349},"2026-01-03",{"date":355,"score":132,"percentile":265},"2026-01-04",{"date":357,"score":132,"percentile":265},"2026-01-05",{"date":359,"score":132,"percentile":265},"2026-01-06",{"date":361,"score":132,"percentile":265},"2026-01-07",{"date":363,"score":132,"percentile":265},"2026-01-08",{"date":365,"score":132,"percentile":265},"2026-01-09",{"date":367,"score":132,"percentile":265},"2026-01-10",{"date":369,"score":132,"percentile":265},"2026-01-11",{"date":371,"score":132,"percentile":265},"2026-01-12",{"date":373,"score":132,"percentile":265},"2026-01-13",{"date":375,"score":132,"percentile":265},"2026-01-14",{"date":377,"score":132,"percentile":265},"2026-01-15",{"date":379,"score":132,"percentile":265},"2026-01-16",{"date":381,"score":132,"percentile":265},"2026-01-17",{"date":383,"score":132,"percentile":260},"2026-01-18",{"date":385,"score":132,"percentile":260},"2026-01-19",{"date":387,"score":132,"percentile":260},"2026-01-20",{"date":389,"score":132,"percentile":260},"2026-01-21",{"date":391,"score":132,"percentile":260},"2026-01-22",{"date":393,"score":132,"percentile":260},"2026-01-23",{"date":395,"score":132,"percentile":265},"2026-01-24",{"date":397,"score":132,"percentile":265},"2026-01-25",{"date":399,"score":132,"percentile":265},"2026-01-26",{"date":401,"score":132,"percentile":265},"2026-01-27",{"date":403,"score":132,"percentile":265},"2026-01-28",{"date":405,"score":132,"percentile":265},"2026-01-29",{"date":407,"score":132,"percentile":265},"2026-01-30",{"date":409,"score":132,"percentile":223},"2026-01-31",{"date":411,"score":282,"percentile":349},"2026-02-01",[413,418,424],{"source":136,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":414,"cvss_v4_0":9},{"baseScore":134,"baseSeverity":415,"vectorString":137,"impactScore":416,"exploitabilityScore":417},"HIGH",6,10,{"source":142,"cvss_v2_0":419,"cvss_v3_0":9,"cvss_v3_1":423,"cvss_v4_0":9},{"baseScore":420,"baseSeverity":9,"vectorString":421,"impactScore":422,"exploitabilityScore":417},5,"AV:N/AC:L/Au:N/C:P/I:N/A:N",2.9,{"baseScore":134,"baseSeverity":415,"vectorString":137,"impactScore":416,"exploitabilityScore":417},{"source":143,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":425,"cvss_v4_0":9},{"baseScore":134,"baseSeverity":9,"vectorString":426,"impactScore":416,"exploitabilityScore":417},"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H",[428,454],{"ecosystem":429,"name":430,"vendor":431,"product":432,"cpe_part":9,"purl_type":433,"purl_namespace":431,"purl_name":432,"source":9,"versions":434},"Go","github.com/grafana/grafana","github.com/grafana","grafana","golang",[435,442,446,450],{"version":436,"is_range":129,"range_type":437,"version_start":438,"version_start_type":439,"version_end":440,"version_end_type":441,"fixed_in":9},"gte8_3_0_lt8_3_1","semver","8.3.0","including","8.3.1","excluding",{"version":443,"is_range":129,"range_type":437,"version_start":444,"version_start_type":439,"version_end":445,"version_end_type":441,"fixed_in":9},"gte8_2_0_lt8_2_7","8.2.0","8.2.7",{"version":447,"is_range":129,"range_type":437,"version_start":448,"version_start_type":439,"version_end":449,"version_end_type":441,"fixed_in":9},"gte8_1_0_lt8_1_8","8.1.0","8.1.8",{"version":451,"is_range":129,"range_type":437,"version_start":452,"version_start_type":439,"version_end":453,"version_end_type":441,"fixed_in":9},"gte8_0_0_beta1_lt8_0_7","8.0.0-beta1","8.0.7",{"ecosystem":9,"name":432,"vendor":432,"product":432,"cpe_part":455,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":456},"a",[457,461,463,465,467,468,471,473,475],{"version":458,"is_range":129,"range_type":459,"version_start":460,"version_start_type":439,"version_end":453,"version_end_type":441,"fixed_in":9},"gte8.0.1_lt8.0.7","cpe","8.0.1",{"version":462,"is_range":48,"range_type":459,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"8.0.0:beta1",{"version":464,"is_range":48,"range_type":459,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"8.0.0:beta2",{"version":466,"is_range":48,"range_type":459,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"8.0.0:beta3",{"version":438,"is_range":48,"range_type":459,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":469,"is_range":129,"range_type":136,"version_start":470,"version_start_type":439,"version_end":453,"version_end_type":441,"fixed_in":9},">= 8.0.0, \u003C 8.0.7","8.0.0",{"version":472,"is_range":129,"range_type":459,"version_start":448,"version_start_type":439,"version_end":449,"version_end_type":441,"fixed_in":9},">= 8.1.0, \u003C 8.1.8",{"version":474,"is_range":129,"range_type":459,"version_start":444,"version_start_type":439,"version_end":445,"version_end_type":441,"fixed_in":9},">= 8.2.0, \u003C 8.2.7",{"version":476,"is_range":48,"range_type":136,"version_start":476,"version_start_type":439,"version_end":476,"version_end_type":439,"fixed_in":9},"= 8.3.0"]