CPE detected a vulnerable application, but no CVE appears in the scan results

nxvh · August 13, 2025, 9:55am

Hi everyone,

I’m running into a strange issue and wondering if anyone has experienced something similar. My Greenbone scan correctly identified Grafana 11.4.0 running on one of my systems, but I’m not seeing any of the known CVEs for this version in my scan results.

I know Grafana 11.4.0 has several documented vulnerabilities, so I was expecting to see them flagged during the scan. The application detection itself works perfectly fine - Greenbone clearly knows what version is running - but the vulnerability findings just aren’t there.

This has me wondering if there’s something wrong with my setup or if it’s a feed issue. Maybe the VTs for these specific Grafana CVEs aren’t available yet, or perhaps I’m missing something in my scan configuration? I’ve checked my feed updates and they seem current, but I’m still not getting the expected results.

Any insights would be really helpful since this kind of defeats the purpose of vulnerability scanning if known issues aren’t being reported.

Thanks for any guidance you can provide!

_OR · August 13, 2025, 1:06pm

Hi nxvh,
Grafana is covered by the Greenbone Enterprise Feed since 2024 (paid product).
Are you running this feed?

nxvh · August 14, 2025, 12:21pm

No I’m running the community Feed… but the CVE is in the list.

cfi · August 25, 2025, 1:19pm

If this is about the Security Information -> CVEs view within the GUI (GSA):

This view shows all available CVEs independent from the used feed type (enterprise or community)
It is a common misunderstanding of this GUI part that if a CVE is included there it is covered
If you want to check which / if a CVE is currently covered you would need to go to Security Information -> NVTs instead and search for the CVE there

Relevant part from the existing documentation:

The availability of a CVE on the appliance does not mean that it is also covered by a VT. To determine whether a specific CVE is covered, the filter cve=<CVE-ID> can be used on the NVTs page (see Chapter 13.1).

system · November 11, 2025, 9:56am

This topic was automatically closed after 90 days. New replies are no longer allowed.