Arbitrary Code Injection Affecting grafana package, versions *


Severity

Recommended
0.0
high
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.5% (39th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS8-GRAFANA-17816983
  • published4 Jul 2026
  • disclosed13 May 2026

Introduced: 13 May 2026

CVE-2026-44291  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

There is no fixed version for Centos:8 grafana.

NVD Description

Note: Versions mentioned in the description apply only to the upstream grafana package and not the grafana package as distributed by Centos. See How to fix? for Centos:8 relevant fixed versions and status.

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.

CVSS Base Scores

version 3.1