Grafana has rolled out safety updates to deal with 4 high-severity vulnerabilities within the Chromium library used within the Grafana Picture Renderer plugin and Artificial Monitoring Agent.
An important of those points is CVE-2025-6554, a sort confusion in Chrome’s V8 JavaScript engine that may very well be exploited remotely to carry out arbitrary learn/write operations, which was exploited within the wild as a zero-day.
“Google is conscious that an exploit for CVE-2025-6554 exists within the wild,” Google mentioned final week, when it introduced that Chrome variations 138.0.7204.96/.97 for Home windows, variations 138.0.7204.92/.93 for macOS, and model 138.0.7204.96 for Linux comprise patches for the bug.
Grafana additionally launched patches for CVE-2025-5959, a sort confusion bug within the V8 engine that would permit distant attackers to execute arbitrary code throughout the sandbox, utilizing crafted HTML pages.
Google resolved the difficulty in Chrome variations 137.0.7151.103/.104 for Home windows and macOS, and in model 137.0.7151.103 for Linux.
Moreover, the Picture Renderer plugin and Artificial Monitoring Agent acquired patches for CVE-2025-6191, an integer overflow defect in Chrome’s V8 engine, and CVE-2025-6192, a use-after-free within the browser’s Profiler part.
Resolved in Chrome variations 137.0.7151.119/.120 for Home windows and macOS, and model 137.0.7151.119 for Linux, these flaws might permit distant attackers to probably carry out out-of-bounds reminiscence entry and exploit heap corruption, respectively.
In line with Grafana, these vulnerabilities influence Grafana Picture Renderer variations prior to three.12.9 and Artificial Monitoring Agent releases earlier than 0.38.3 and customers ought to replace to the patched iterations as quickly as attainable.Commercial. Scroll to proceed studying.
“Customers who function the Grafana Picture Renderer plugin or have a neighborhood set up of the Artificial Monitoring Agent are suggested to replace their programs,” Grafana says, noting that cloud deployments have been mechanically up to date.
Associated: Grafana Flaws Possible Focused in Broad SSRF Exploitation Marketing campaign
Associated: Code Execution Vulnerability Patched in GitHub Enterprise Server
Associated: Essential Authentication Bypass Flaw Patched in Teleport
Associated:Excessive-Severity Vulnerabilities Patched by Cisco, Atlassian
