FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- RCE on Grafana via sqlExpressions

Affected packages
11.6.0 <= grafana < 11.6.14
12.0.0 <= grafana < 12.1.10
12.2.0 <= grafana < 12.2.8
12.3.0 <= grafana < 12.3.6
12.4.0 <= grafana < 12.4.2

Details

VuXML ID f45ad940-58ff-11f1-b525-3c7c3fba4204
Discovery 2026-03-27
Entry 2026-05-26

https://grafana.com/security/security-advisories/cve-2026-27876 reports:

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

[source]

References

CVE Name CVE-2026-27876
URL https://cveawg.mitre.org/api/cve/CVE-2026-27876

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.