Skip to content

Observability & Monitoring

Metrics, tracing, logging, and dashboards for modern infrastructure.

Subscribe
All Breaking Security Features
Important Recent
← Releases
Upgrade now
loki v3.6.11 Security relevant
Dependencies

CVE fixes

Open
grafana v12.3.6+security-04 Security relevant
⚠ Upgrade required
  • Alertmanager config updates no longer error when autogenerated receivers are present.
Security fixes
  • CVE-2026-28374
  • CVE-2026-28376
  • CVE-2026-28383
v12.4.3+security-02 (22d) CVE-2026-28374
v12.2.8+security-04 (22d) Security patches across supported versions.
v11.6.14+security-04 (22d) Security fixes
v13.0.1+security-01 (22d) CVE-2026 fixes
VictoriaMetrics v1.136.9 Security relevant
Security fixes
  • Upgrade Go builder to version 1.26.3, addressing security issues listed in the Go 1.26.3 changelog.
v1.143.0 (23d) Go builder upgrade
Wavelog 2.4.2 Security relevant
⚠ Upgrade required
  • If unable to update immediately, block external access to the /install/ directory at your webserver level as a temporary mitigation.
  • A full security advisory will be published in approximately 30 days.
Security fixes
  • Fixed critical vulnerability affecting all Wavelog installations from version 1.8 onward; temporary mitigation: block external access to /install/ directory.
Notable features
  • Lightweight search page for qrz.com embedding
  • User agent added for JWKS request in SSO implementation
  • Option to skip first login wizard for clubstation members
kubetail cli/v0.17.0 Security relevant
⚠ Upgrade required
  • Remove invalid --upload flag from cosign sign in release workflow
Security fixes
  • Prevent client‑supplied X-Forwarded-Authorization from shadowing service‑account-token
  • Harden CSRF token handling
  • Stop trusting X-Forwarded-* headers in same-origin check
Notable features
  • Support forwarded host in same-origin check
  • Relax hex requirement for session key-pairs
  • Trigger publish workflows only on stable releases
kite v0.11.0 Security relevant
Security fixes
  • Fixed security vulnerability in API key authentication affecting versions v0.7.0 through v0.10.0
Notable features
  • New resource overview dashboard
  • User‑controlled display scale setting
prometheus v3.11.3 Security relevant
Security fixes
  • AzureAD OAuth client_secret exposed in plaintext via /-/config endpoint (CVE-2026-42151, GHSA-wg65-39gg-5wfj)
  • Remote-read snappy-compressed requests with excessive decoded length (CVE-2026-42154, GHSA-8rm2-7qqf-34qm)
  • Old UI stored XSS via unescaped le label values in heatmap (GHSA-fw8g-cg8f-9j28)
v3.5.3 (1mo) OAuth credential exposure, snappy decompression, XSS
VictoriaMetrics v1.122.21 Security relevant
Security fixes
  • Go builder upgraded from 1.25.9 to 1.26.2
  • Alpine base image upgraded from 3.23.3 to 3.23.4
v1.136.6 (1mo) Alpine security update
wazuh v4.14.5 Security relevant
Security fixes
  • DAPI callable resolution restriction
  • Buffer overflow in analysisd regex match
  • Path traversal in authd via agent group name
tools v0.5.0 Security relevant
Security fixes
  • Fix(rss): prevent path traversal via unvalidated feed_id in get_feed_file_path.
BetterDB-inc/monitor v0.14.2 Security relevant
Security fixes
  • CVE-2026-33806 — vulnerability in Fastify (GHSA-247c-9743-5963)
  • dep: CVE-2026-6410 — static file serving issue (GHSA-pr96-94w5-mx2h)
  • dep: CVE-2026-6414 — static file serving issue (GHSA-x428-ghpx-8j92)
Notable features
  • @betterdb/agent-cache package added — multi‑tier LLM/tool/session cache
  • Cluster support for agent-cache
loki operator/v0.10.1 Security relevant
Security fixes
  • google.golang.org/grpc security update to v1.79.3
Notable features
  • Operator migration to Thanos objstore backend
kubetail cli/v0.14.1 Security relevant
Security fixes
  • CVE-2026-29063
  • Security upgrades
Notable features
  • Log viewer multi-cell selection, context menus, and date range filtering
  • Forward bearer tokens to resolve permission denied errors in authMode: token
  • Add upgrade notification banner and notifications integration
vcli/v0.14.0 (1mo) CVE-2026-29063 security patch
openITCOCKPIT Community Edition openITCOCKPIT-5.5.2 Security relevant
Security fixes
  • CVE-2026-24893 — Authenticated Command Injection Leading to Remote Code Execution via Host Address Macro Expansion
Notable features
  • Added `check_diskstats` plugin to openitcockpit-community-plugins
  • EventcorrelationModule: Summary event correlations widget
prometheus v3.11.2 Security relevant
Security fixes
  • Stored XSS via unescaped metric names and labels (CVE-2026-40179)
Notable features
  • Consul SD: Introduced health_filter field for Health API filtering
  • Consul SD: Fixed filter parameter application in Health API
v3.5.2 (1mo) Stored XSS fix
VictoriaMetrics v1.136.4 Security relevant
Security fixes
  • Go builder upgraded from Go1.26.1 to Go1.26.2
v1.122.19 (1mo) Go security update
Upgrade now
Logsonic v0.7.2 Security relevant
Dependencies

axios vulnerability fix

Open
tools v0.4.1 Security relevant
Security fixes
  • Fixed TOCTOU (time-of-check-to-time-of-use) vulnerability in Elasticsearch memory handling.
Review required
Logsonic v0.7.0 Security relevant

Vulnerabilities

Open
BetterDB-inc/monitor mcp-v1.1.0 Security relevant
Security fixes
  • Pin axios to 1.14.0 to prevent compromised version 1.14.1
  • Override rollup, minimatch, and flatted packages to resolve CVEs
Notable features
  • Throughput forecasting UI and API

Beta — feedback welcome: [email protected]