These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-27880 is a high-severity denial-of-service issue described by NVD as an unbounded-memory read in the OpenFeature feature toggle evaluation endpoint that can lead to out-of-memory crashes. The record is network-exploitable, requires no privileges or user interaction, and is rated 7.5 (HIGH).
CVE-2026-27877 is a Grafana information-disclosure issue affecting public dashboards that use direct data-sources. According to the CVE description, passwords for direct data-sources can be exposed even when those data-sources are not actually used in the dashboards. Grafana states that proxied data-sources are not exposed and recommends converting direct data-sources to proxied data-sources wherever possible.
CVE-2026-21725 describes a race-condition/TOCTOU issue in Grafana datasource deletion handling. Under a very narrow set of conditions, an attacker who previously had admin access to a datasource can delete it, wait for someone else to recreate it with the same UID, and then delete the recreated datasource without having admin rights on the new object. The practical risk is limited by several gating condit [truncated]