Investigate unresolved Grafana CVEs after upgrade to 12.4.2

[josecelano]

Overview

Track unresolved Grafana vulnerabilities after upgrade to 12.4.2 in issue #428.

Context

Upgrade significantly reduced findings and removed CRITICAL vulnerabilities:

• Before (12.3.1): 18 HIGH, 6 CRITICAL
• After (12.4.2): 4 HIGH, 0 CRITICAL

Goals

• Determine whether newer Grafana tags clear the remaining HIGH findings
• Track upstream fixes for remaining dependencies
• Recommend final stable version for deployer defaults

Acceptance Criteria

• Evaluate candidate Grafana tags and compare vulnerability deltas
• Document recommended next version and compatibility notes
• Update deployer defaults if a better stable tag is validated
• Pre-commit checks pass: ./scripts/pre-commit.sh

Related

• Parent: Analyze and remediate Docker image vulnerabilities from April 8, 2026 scan #428
• Epic: Implement Automated Docker Image Vulnerability Scanning #250