CVE-2025-41118

Published: Apr 15, 2026 Last Modified: Apr 15, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,1

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).

If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.

To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems.

This vulnerability is fixed in versions:

1.15.x: 1.15.2 and above.
1.16.x: 1.16.1 and above.
1.17.x: 1.17.0 and above (i.e. all versions).

Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0003

Percentile

0,1th

Updated

Single Data Point

Only one EPSS measurement is available for this CVE. Trend analysis requires multiple data points over time.

https://grafana.com/security/security-advisories/cve-2025-4…

https://grafana.com/security/security-advisories/cve-2025-41118

CVE-2025-41118

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

Single Data Point

Iscriviti alla newsletter