CVE-2025-4123

HIGH 7.6

CVSS Score

7.6

EPSS Score

3.9%

EPSS Percentile

88th

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

CWE	CWE-79 CWE-601
Vendor	grafana
Product	grafana
Ecosystems	Monitoring DevTools
Industries	Technology
Published	May 22, 2025
Last Updated	Apr 29, 2026

Stay Ahead of the Next One

Get instant alerts for grafana grafana

Be the first to know when new high vulnerabilities affecting grafana grafana are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

Affected Versions

Grafana / Grafana

10.4.18+security-01 < 10.4.19 11.2.9+security-01 < 11.2.10 11.3.6+security-01 < 11.3.7 11.4.4+security-01 < 11.4.5 11.5.4+security-01 < 11.5.5 11.6.1+security-01 < 11.6.2 12.0.0+security-01 < 12.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

grafana.com: https://grafana.com/security/security-advisories/cve-2025-4123/ grafana.com: https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/ exploit-db.com: https://www.exploit-db.com/exploits/52491

Credits

Alvaro Balada