Grafana is an open-source visualization and analytics software. It allows you to query, visualize, alert on, and explore your metrics and time-series database (TSDB) data.

Grafana

MinimOS is a minimalist operating system designed for simplicity and efficiency. It aims to provide only essential functionalities, making it lightweight and suitable for resource-constrained environments. MinimOS is often used in embedded systems or as a base for custom operating system development.

MinimOS

SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.

In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.

This vulnerability applies only if all of the following conditions are met:
- `enableSCIM` feature flag set to true
- `user_sync_enabled` config option in the `[auth.scim]` block set to true

CVE-2025-41115

Chainguard

GoLang

GitHub Advisory Database

Minimus

Linux

Linux Kernel

Windows

Windows Cumulative Update

VulnCheck NVD++

Wolfi

A web application firewall (WAF) solution that protects web applications and APIs from threats and vulnerabilities through machine learning and AI-powered security. FortiWeb provides protection against OWASP Top 10 threats, zero-day attacks, and bot-based attacks while maintaining high performance and low latency. It offers both cloud-based and on-premises deployment options with features like API protection, automated machine learning, and virtual patching.

Fortinet FortiWeb

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

CVE-2025-64446

Docker is a set of platform-as-a-service products that use OS-level virtualization to deliver software in packages called containers.

Docker

Datadog is a monitoring service for cloud-scale applications, providing monitoring of servers, databases, tools, and services through a SaaS-based data analytics platform.

Datadog Agent

Podman is an open-source project that is available on most Linux platforms and resides on GitHub. Podman is a daemonless container engine for developing, managing, and running Open Container Initiative (OCI) containers and container images on your Linux system. Podman provides a Docker-compatible command line front end that can simply alias the Docker CLI, `alias docker=podman`.

Podman

Linux is a family of open-source Unix-like operating systems based on the Linux kernel.

A simple and comprehensive vulnerability scanner for containers, suitable for CI.

Trivy

CRI-O is an implementation of the Kubernetes CRI (Container Runtime Interface) to enable the use of OCI (Open Container Initiative) compatible runtimes. It is a lightweight alternative to using Docker as the runtime for Kubernetes.

CRI-O

Rocky Linux is a Linux distribution intended to be a downstream, complete binary-compatible release using the Red Hat Enterprise Linux operating system source code. The project's aim is to provide a community-supported, production-grade enterprise operating system.

Rocky Linux

The Google OS Config agent runs on your GCP VM and uses the specifications in the guest policy to maintain it in a desired state.

Google OS Config Agent

AlmaLinux OS is an open-source, community-driven Linux operating system that fills the gap left by the discontinuation of the CentOS Linux stable release. AlmaLinux OS is a 1:1 binary compatible fork of RHEL®, guided and built by the community.

Alma Linux

Alibaba Cloud Linux (Aliyun Linux) OS is an open-source Linux distribution originated by the Alibaba Operating System team, aiming to deliver OS services with various functionalities, high performance, and stability to Alibaba Cloud Elastic Compute Service (ECS) customers.

Alibaba Cloud Linux (Aliyun Linux)

Red Hat Enterprise Linux CoreOS (RHCOS) is an operating system based on Red Hat Enterprise Linux (RHEL) that is optimized for running containerized workloads in a clustered environment. It is designed to be used as the foundation for building and managing large-scale, container-based applications and services, such as those used in cloud-native and Kubernetes deployments. RHCOS includes built-in support for automatic updates, self-healing, and other features that are necessary for running distributed systems at scale.

Red Hat Enterprise Linux CoreOS (RHCOS)

CBL Marine is an open source distro, created by Microsoft. Mainly used in Azure cloud and Microsoft Internally.

CBL Mariner

Wolfi is a community Linux OS designed for the container and cloud-native era; it is a Linux distribution based on Alpine.

Chainguard is a Linux distribution based on Alpine. It's the commercial version of the Wolfi distro.

Kubescape CLI is an open-source Kubernetes security platform that helps identify and fix misconfigurations in Kubernetes clusters. It scans Kubernetes YAML files, Helm charts, and live clusters against various security frameworks and best practices. Kubescape CLI provides detailed risk scoring, compliance reports, and remediation suggestions to improve the security posture of Kubernetes environments.

Kubescape CLI

Debian GNU/Linux is a Linux distribution composed of free and open-source software.

Linux Debian

Ubuntu is a Linux distribution based on Debian, mostly composed of free and open-source software. Ubuntu is officially released in three editions: Desktop, Server, and Core for internet of things devices and robots. All the editions can run on the computer alone or in a virtual machine.

Linux Ubuntu

Red Hat Enterprise Linux is a Linux distribution developed by Red Hat for the commercial market.

Linux Red Hat

Linux openSUSE

The Amazon Linux is a supported and maintained Linux image provided by Amazon Web Services for use on Amazon Elastic Compute Cloud (Amazon EC2).

Amazon Linux

Alpine Linux is a Linux distribution based on musl and BusyBox, designed for security, simplicity, and resource efficiency.

Linux Alpine

Oracle Linux is a Linux distribution packaged and freely distributed by Oracle, available partially under the GNU General Public License since late 2006. It is compiled from Red Hat Enterprise Linux source code, replacing Red Hat branding with Oracle's.

Linux Oracle

Container-Optimized OS is an operating system image for Compute Engine VMs that is optimized for running Docker containers.

Container-Optimized OS

Echo is a secure, minimal Linux OS built vulnerability-free. It is fully compatible across environments and continuously patched - making it a clean, dependable base layer for modern applications. Echo is used by organizations focused on security and reliability, including those with compliance or FIPS requirements.

Echo

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

CVE-2025-52881

AlmaLinux

AlmaLinux Security Advisory

Alpine

Alpine Security Tracker

CBL-Mariner

Container-Optimized OS Release Notes

Debian

Debian Security Tracker

Red Hat

Red Hat CoreOS

Red Hat Errata

Rocky

Rocky Linux Product Errata

TuxCare

Ubuntu

Ubuntu Security Tracker

runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

CVE-2025-52565

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

CVE-2025-31133

In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number of pixels becomes negative.

CVE-2025-59820

WordPress is a content management system paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes.

WordPress

The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements

CVE-2025-12061

PHP is a general-purpose scripting language that is especially suited for web development.

REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1.

CVE-2025-66026

Composer

Class based , object oriented programming language. Designed to have less dependencies as possible. The syntex of Java is smilier to C and C++. Commonly used for client-server applications. Java files are compiled by JVM (Java Virtual Machine)

Java

OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1,  OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available.

CVE-2025-66021

Maven

Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-41115	CRITICAL	10	Grafana	github.com/grafana/grafana	No	Yes	Nov 21, 2025
CVE-2025-64446	CRITICAL	9.8	Fortinet FortiWeb	cpe:2.3:a:fortinet:fortiweb	Yes	Yes	Nov 14, 2025
CVE-2025-52881	HIGH	7.3	Docker	kernel-rt-core	No	Yes	Nov 06, 2025
CVE-2025-52565	HIGH	8.4	Podman	libslirp-devel	No	Yes	Nov 06, 2025
CVE-2025-31133	HIGH	7.3	Podman	container-tools:rhel8::criu	No	Yes	Nov 06, 2025

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-59820	MEDIUM	6.7	Linux Debian	krita	No	Yes	Nov 26, 2025
CVE-2025-12061	N/A	N/A	WordPress	virtual-hdm-for-taxservice-am	No	Yes	Nov 26, 2025
CVE-2025-66026	MEDIUM	6.1	PHP	redaxo/source	No	Yes	Nov 26, 2025
CVE-2025-66021	HIGH	8.6	Java	com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer	No	No	Nov 26, 2025
CVE-2025-65956	MEDIUM	6.5	PHP	getformwork/formwork	No	Yes	Nov 26, 2025

Wiz Vulnerability Database

Explore by technology

Popular filters

High Profile

Most Recent

Vulnerabilities by the numbers

The good, the bad, and the vulnerable

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?