CVE-2024-9264 is a critical vulnerability in Grafana's SQL Expressions feature, affecting versions 11.0.x, 11.1.x, and 11.2.x, with a CVSS score of 9.9. Introduced in Grafana 11, the SQL Expressions feature lacks input sanitization, making it susceptible to command injection and local file inclusion (LFI) attacks. Attackers with at least 'viewer' permissions can exploit this flaw to access sensitive files or execute commands via malicious SQL queries sent to the backend DuckDB CLI. The vulnerability requires specific conditions: DuckDB must be manually installed, and the attacker needs network access to the target Grafana instance. Grafana has released patches, and users are advised to update to the latest versions.