CVE-2026-15583
A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Gra
CVSS
8.6
High
EPSS
0.3%
p23
KEV
—
Exploit Today
7
0-100
Published: Jul 15, 2026 · Last modified: Jul 15, 2026 · CWE-610
0.3%EPSS · 30 days0.3%
2026-07-152026-07-16
A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud metadata endpoints.
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2022-242417.5 HIG55.1%
——17ACEweb Online Portal 3.5.065 was discovered to contain an External Controlled File Path and Name vulnerability via the txtFilePath parameter in attachments.awp.9dCVE-2026-108167.5 HIG33.6%
——10Arbitrary File Read (Unauthenticated) in NetScaler ADC and NetScaler Gateway if the access to NSIP, Cluster Management IP or SNIP with management access is enabled15dCVE-2026-12879—8.6%
——3An Improper Input Validation vulnerability in BigQuery DAO in Google Cloud Apigee versions prior to 2026-06-12 on Google Cloud Platform allows an authenticated attacker to exfiltrate cross-tenant data.
This vulnerability was patched on 12 June 2026 on the Apigee Servers, and no customer action is needed.8d