Stored XSS via Geomap Panel Template Variable Attribution Injection
Summary
| CVE | CVE-2026-9029 |
|---|---|
| State | PUBLISHED |
| Assigner | GRAFANA |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-22 14:17:55 UTC |
| Updated | 2026-06-22 20:19:54 UTC |
| Description | The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix |
Risk And Classification
Primary CVSS: v3.1 7.3 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
| 3.1 | CNA | DECLARED | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Grafana | Grafana OSS | affected 12.4.0 semver | OnPrem |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| grafana.com/security/security-advisories/cve-2026-9029 | [email protected] | grafana.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: trailerb18 (Researcher) (en)
There are currently no legacy QID mappings associated with this CVE.