[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2024-9264":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":101,"aliases":102,"duplicate_of":9,"upstream":106,"downstream":107,"duplicates":126,"related":127,"reserved_at":9,"published_at":142,"modified_at":143,"state":144,"summary":145,"references_raw":153,"kevs":197,"epss":198,"epss_history":201,"metrics":405,"affected":426},"CVE-2024-9264","The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack.  The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.",null,[11,62],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-94","Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.","weakness","Draft","Base","Medium",[20,24,58],{"id":21,"name":22,"techniques":23},"CAPEC-242","Code Injection",[],{"id":25,"name":26,"techniques":27},"CAPEC-35","Leverage Executable Code in Non-Executable Files",[28,39,46],{"id":29,"name":30,"tactics":31,"countermeasures":38},"T1027.006","HTML Smuggling",[32,35],{"id":33,"name":34},"TA0030","Defense Evasion",{"id":36,"name":37},"TA0005","Stealth",[],{"id":40,"name":41,"tactics":42,"countermeasures":45},"T1027.009","Embedded Payloads",[43,44],{"id":33,"name":34},{"id":36,"name":37},[],{"id":47,"name":48,"tactics":49,"countermeasures":52},"T1564.009","Resource Forking",[50,51],{"id":33,"name":34},{"id":36,"name":37},[53],{"id":54,"name":55,"tactic":56},"D3-FFV","File Format Verification",{"name":57},"Isolate",{"id":59,"name":60,"techniques":61},"CAPEC-77","Manipulating User-Controlled Variables",[],{"_key":63,"id":63,"name":64,"description":65,"type":15,"status":16,"abstraction":66,"likelihood_of_exploit":67,"capec":68},"CWE-77","Improper Neutralization of Special Elements used in a Command ('Command Injection')","The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.","Class","High",[69,73,77,81,85,89,93,97],{"id":70,"name":71,"techniques":72},"CAPEC-136","LDAP Injection",[],{"id":74,"name":75,"techniques":76},"CAPEC-15","Command Delimiters",[],{"id":78,"name":79,"techniques":80},"CAPEC-183","IMAP/SMTP Command Injection",[],{"id":82,"name":83,"techniques":84},"CAPEC-248","Command Injection",[],{"id":86,"name":87,"techniques":88},"CAPEC-40","Manipulating Writeable Terminal Devices",[],{"id":90,"name":91,"techniques":92},"CAPEC-43","Exploiting Multiple Input Interpretation Layers",[],{"id":94,"name":95,"techniques":96},"CAPEC-75","Manipulating Writeable Configuration Files",[],{"id":98,"name":99,"techniques":100},"CAPEC-76","Manipulating Web Input to File System Calls",[],[],[103,104,105],"GHSA-q99m-qcv4-fpm7","BIT-grafana-2024-9264","GO-2024-3215",[],[108,110,112,114,116,118,120,122,124],{"_key":109},"UBUNTU-CVE-2024-9264",{"_key":111},"SUSE-SU-2025:01985-1",{"_key":113},"SUSE-SU-2025:01987-1",{"_key":115},"OPENSUSE-SU-2024:0350-1",{"_key":117},"SUSE-SU-2024:3911-1",{"_key":119},"SUSE-SU-2025:01989-1",{"_key":121},"SUSE-SU-2025:01991-1",{"_key":123},"OPENSUSE-SU-2024:14431-1",{"_key":125},"OPENSUSE-SU-2024:14447-1",[],[128,129,130,131,132,133,134,135,136,138,140],{"_key":111},{"_key":113},{"_key":115},{"_key":117},{"_key":119},{"_key":121},{"_key":123},{"_key":125},{"_key":137},"CGA-3F3F-QWC8-5QQF",{"_key":139},"CGA-FJ3Q-RHM5-G676",{"_key":141},"CGA-3MQW-V2G6-57GG","2024-10-18T03:20:52.489Z","2025-03-14T10:03:06.561Z","Modified",{"cisa_kev":146,"cisa_ransomware":146,"cisa_vendor":9,"epss_severity":147,"epss_score":148,"severity":147,"severity_score":149,"severity_version":150,"severity_source":151,"severity_vector":152,"severity_status":144},false,"critical",0.94047,9.9,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",[154,160,164,170,176,181,185,189,193],{"url":155,"sources":156,"tags":158},"https://grafana.com/security/security-advisories/cve-2024-9264/",[151,157],"nvd",[159],"Vendor Advisory",{"url":161,"sources":162,"tags":163},"https://security.netapp.com/advisory/ntap-20250314-0007/",[151,157],[],{"url":165,"sources":166,"tags":168},"https://nvd.nist.gov/vuln/detail/CVE-2024-9264",[167],"osv_go",[169],"Advisory",{"url":171,"sources":172,"tags":173},"https://github.com/grafana/grafana/pull/81666",[167],[174,175],"WEB","FIX",{"url":177,"sources":178,"tags":179},"https://github.com/grafana/grafana",[167],[180],"PACKAGE",{"url":182,"sources":183,"tags":184},"https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264",[167],[174],{"url":186,"sources":187,"tags":188},"https://grafana.com/security/security-advisories/cve-2024-9264",[167],[174],{"url":190,"sources":191,"tags":192},"https://security.netapp.com/advisory/ntap-20250314-0007",[167],[174],{"url":194,"sources":195,"tags":196},"https://github.com/advisories/GHSA-q99m-qcv4-fpm7",[167],[169],[],{"date":199,"score":148,"percentile":200},"2026-06-04",0.99904,[202,206,209,211,214,216,218,220,222,224,227,229,231,233,235,239,241,243,245,247,249,251,255,259,261,263,267,271,274,276,279,281,283,285,287,289,291,294,296,298,300,302,304,306,308,310,312,314,316,318,321,323,325,327,331,333,335,337,339,341,343,345,347,349,351,353,355,357,360,362,364,366,368,370,372,374,376,378,380,382,384,386,388,390,392,394,396,398,400,402],{"date":203,"score":204,"percentile":205},"2025-11-04",0.92294,0.99704,{"date":207,"score":204,"percentile":208},"2025-11-05",0.99703,{"date":210,"score":204,"percentile":208},"2025-11-06",{"date":212,"score":204,"percentile":213},"2025-11-07",0.99701,{"date":215,"score":204,"percentile":213},"2025-11-08",{"date":217,"score":204,"percentile":213},"2025-11-09",{"date":219,"score":204,"percentile":213},"2025-11-10",{"date":221,"score":204,"percentile":213},"2025-11-11",{"date":223,"score":204,"percentile":213},"2025-11-12",{"date":225,"score":204,"percentile":226},"2025-11-13",0.99702,{"date":228,"score":204,"percentile":226},"2025-11-14",{"date":230,"score":204,"percentile":226},"2025-11-15",{"date":232,"score":204,"percentile":226},"2025-11-16",{"date":234,"score":204,"percentile":205},"2025-11-17",{"date":236,"score":237,"percentile":238},"2025-11-18",0.89524,0.99643,{"date":240,"score":237,"percentile":238},"2025-11-19",{"date":242,"score":237,"percentile":238},"2025-11-20",{"date":244,"score":204,"percentile":226},"2025-11-21",{"date":246,"score":204,"percentile":226},"2025-11-22",{"date":248,"score":204,"percentile":226},"2025-11-23",{"date":250,"score":204,"percentile":208},"2025-11-24",{"date":252,"score":253,"percentile":254},"2025-11-25",0.92816,0.99751,{"date":256,"score":257,"percentile":258},"2025-11-26",0.93869,0.99859,{"date":260,"score":257,"percentile":258},"2025-11-27",{"date":262,"score":257,"percentile":258},"2025-11-28",{"date":264,"score":265,"percentile":266},"2025-11-29",0.9392,0.99867,{"date":268,"score":269,"percentile":270},"2025-11-30",0.93989,0.9988,{"date":272,"score":269,"percentile":273},"2025-12-01",0.99883,{"date":275,"score":269,"percentile":273},"2025-12-02",{"date":277,"score":269,"percentile":278},"2025-12-03",0.99884,{"date":280,"score":269,"percentile":270},"2025-12-04",{"date":282,"score":269,"percentile":270},"2025-12-05",{"date":284,"score":269,"percentile":270},"2025-12-06",{"date":286,"score":269,"percentile":270},"2025-12-07",{"date":288,"score":269,"percentile":270},"2025-12-08",{"date":290,"score":269,"percentile":270},"2025-12-09",{"date":292,"score":269,"percentile":293},"2025-12-10",0.99879,{"date":295,"score":269,"percentile":293},"2025-12-11",{"date":297,"score":269,"percentile":293},"2025-12-12",{"date":299,"score":269,"percentile":293},"2025-12-13",{"date":301,"score":269,"percentile":293},"2025-12-14",{"date":303,"score":269,"percentile":270},"2025-12-15",{"date":305,"score":269,"percentile":270},"2025-12-16",{"date":307,"score":269,"percentile":270},"2025-12-17",{"date":309,"score":269,"percentile":270},"2025-12-18",{"date":311,"score":269,"percentile":270},"2025-12-19",{"date":313,"score":269,"percentile":270},"2025-12-20",{"date":315,"score":269,"percentile":270},"2025-12-21",{"date":317,"score":269,"percentile":270},"2025-12-22",{"date":319,"score":269,"percentile":320},"2025-12-23",0.99881,{"date":322,"score":269,"percentile":320},"2025-12-24",{"date":324,"score":269,"percentile":320},"2025-12-25",{"date":326,"score":269,"percentile":320},"2025-12-26",{"date":328,"score":329,"percentile":330},"2025-12-27",0.93973,0.99877,{"date":332,"score":269,"percentile":320},"2025-12-28",{"date":334,"score":269,"percentile":320},"2025-12-29",{"date":336,"score":269,"percentile":320},"2025-12-30",{"date":338,"score":269,"percentile":320},"2025-12-31",{"date":340,"score":269,"percentile":273},"2026-01-01",{"date":342,"score":269,"percentile":273},"2026-01-02",{"date":344,"score":269,"percentile":273},"2026-01-03",{"date":346,"score":269,"percentile":270},"2026-01-04",{"date":348,"score":269,"percentile":270},"2026-01-05",{"date":350,"score":269,"percentile":270},"2026-01-06",{"date":352,"score":269,"percentile":270},"2026-01-07",{"date":354,"score":269,"percentile":320},"2026-01-08",{"date":356,"score":269,"percentile":320},"2026-01-09",{"date":358,"score":269,"percentile":359},"2026-01-10",0.99882,{"date":361,"score":269,"percentile":359},"2026-01-11",{"date":363,"score":269,"percentile":359},"2026-01-12",{"date":365,"score":269,"percentile":359},"2026-01-13",{"date":367,"score":269,"percentile":273},"2026-01-14",{"date":369,"score":269,"percentile":273},"2026-01-15",{"date":371,"score":269,"percentile":273},"2026-01-16",{"date":373,"score":269,"percentile":273},"2026-01-17",{"date":375,"score":269,"percentile":359},"2026-01-18",{"date":377,"score":269,"percentile":273},"2026-01-19",{"date":379,"score":269,"percentile":359},"2026-01-20",{"date":381,"score":269,"percentile":273},"2026-01-21",{"date":383,"score":269,"percentile":273},"2026-01-22",{"date":385,"score":269,"percentile":273},"2026-01-23",{"date":387,"score":269,"percentile":273},"2026-01-24",{"date":389,"score":269,"percentile":273},"2026-01-25",{"date":391,"score":269,"percentile":273},"2026-01-26",{"date":393,"score":269,"percentile":273},"2026-01-27",{"date":395,"score":269,"percentile":278},"2026-01-28",{"date":397,"score":269,"percentile":278},"2026-01-29",{"date":399,"score":269,"percentile":278},"2026-01-30",{"date":401,"score":269,"percentile":278},"2026-01-31",{"date":403,"score":269,"percentile":404},"2026-02-01",0.99887,[406,414,423],{"source":151,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":407,"cvss_v4_0":411},{"baseScore":149,"baseSeverity":408,"vectorString":152,"impactScore":409,"exploitabilityScore":410},"CRITICAL",10,7.9,{"baseScore":412,"baseSeverity":408,"vectorString":413,"impactScore":9,"exploitabilityScore":9},9.4,"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",{"source":157,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":415,"cvss_v4_0":421},{"baseScore":416,"baseSeverity":417,"vectorString":418,"impactScore":419,"exploitabilityScore":420},8.8,"HIGH","CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,7.2,{"baseScore":412,"baseSeverity":408,"vectorString":422,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",{"source":167,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":424,"cvss_v4_0":425},{"baseScore":149,"baseSeverity":9,"vectorString":152,"impactScore":409,"exploitabilityScore":410},{"baseScore":412,"baseSeverity":9,"vectorString":422,"impactScore":9,"exploitabilityScore":9},[427,452],{"ecosystem":428,"name":429,"vendor":430,"product":431,"cpe_part":9,"purl_type":432,"purl_namespace":430,"purl_name":431,"source":9,"versions":433},"Go","github.com/grafana/grafana","github.com/grafana","grafana","golang",[434,442,446,450],{"version":435,"is_range":436,"range_type":437,"version_start":438,"version_start_type":439,"version_end":440,"version_end_type":441,"fixed_in":9},"gte11_0_0_lt11_0_6+security_01",true,"semver","11.0.0","including","11.0.6+security-01","excluding",{"version":443,"is_range":436,"range_type":437,"version_start":444,"version_start_type":439,"version_end":445,"version_end_type":441,"fixed_in":9},"gte11_1_0_lt11_1_7+security_01","11.1.0","11.1.7+security-01",{"version":447,"is_range":436,"range_type":437,"version_start":448,"version_start_type":439,"version_end":449,"version_end_type":441,"fixed_in":9},"gte11_2_0_lt11_2_2+security_01","11.2.0","11.2.2+security-01",{"version":451,"is_range":436,"range_type":437,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",{"ecosystem":9,"name":431,"vendor":431,"product":431,"cpe_part":453,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":454},"a",[455,458,461,464,467,470,473],{"version":456,"is_range":436,"range_type":151,"version_start":438,"version_start_type":439,"version_end":457,"version_end_type":441,"fixed_in":9},">= 11.0.0, \u003C 11.0.5","11.0.5",{"version":459,"is_range":436,"range_type":151,"version_start":444,"version_start_type":439,"version_end":460,"version_end_type":441,"fixed_in":9},">= 11.1.0, \u003C 11.1.6","11.1.6",{"version":462,"is_range":436,"range_type":151,"version_start":448,"version_start_type":439,"version_end":463,"version_end_type":441,"fixed_in":9},">= 11.2.0, \u003C 11.2.1","11.2.1",{"version":465,"is_range":436,"range_type":151,"version_start":438,"version_start_type":439,"version_end":466,"version_end_type":441,"fixed_in":9},">= 11.0.0, \u003C 11.0.6","11.0.6",{"version":468,"is_range":436,"range_type":151,"version_start":444,"version_start_type":439,"version_end":469,"version_end_type":441,"fixed_in":9},">= 11.1.0, \u003C 11.1.7","11.1.7",{"version":471,"is_range":436,"range_type":151,"version_start":448,"version_start_type":439,"version_end":472,"version_end_type":441,"fixed_in":9},">= 11.2.0, \u003C 11.2.2","11.2.2",{"version":438,"is_range":146,"range_type":474,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"cpe"]