CVE-2026-9029
Stored XSS via Geomap Panel Template Variable Attribution Injection
CVSS Score
7.3
EPSS Score
0.0%
EPSS Percentile
0th
The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
| Vendor | grafana |
| Product | grafana oss |
| Ecosystems | |
| Industries | Technology |
| Published | Jun 22, 2026 |
| Last Updated | Jun 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for grafana grafana oss
Be the first to know when new high vulnerabilities affecting grafana grafana oss are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Grafana / Grafana OSS
12.4.0
References
Credits
trailerb18 (Researcher)