{"api_version":"1","generated_at":"2026-06-23T07:14:42+00:00","cve":"CVE-2026-9029","urls":{"html":"https://cve.report/CVE-2026-9029","api":"https://cve.report/api/cve/CVE-2026-9029.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-9029","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-9029"},"summary":{"title":"Stored XSS via Geomap Panel Template Variable Attribution Injection","description":"The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix","state":"PUBLISHED","assigner":"GRAFANA","published_at":"2026-06-22 14:17:55","updated_at":"2026-06-23 05:17:05"},"problem_types":[],"metrics":[{"version":"3.1","source":"security@grafana.com","type":"Secondary","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N","data":{"baseScore":7.3,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://grafana.com/security/security-advisories/cve-2026-9029","name":"https://grafana.com/security/security-advisories/cve-2026-9029","refsource":"security@grafana.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-9029","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9029","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Grafana","product":"Grafana OSS","version":"affected 12.4.0 semver","platforms":["OnPrem"]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"trailerb18 (Researcher)","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-9029","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-22T00:00:00+00:00","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-23T03:55:44.583Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["OnPrem"],"product":"Grafana OSS","vendor":"Grafana","versions":[{"status":"affected","version":"12.4.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"trailerb18 (Researcher)"}],"datePublic":"2026-05-22T14:46:29.694Z","descriptions":[{"lang":"en","value":"The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix"}],"metrics":[{"cvssV3_1":{"baseScore":7.3,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-06-22T13:18:40.770Z","orgId":"57da9224-a3e2-4646-9d0e-c4dc2e05e7da","shortName":"GRAFANA"},"references":[{"tags":["vendor-advisory"],"url":"https://grafana.com/security/security-advisories/cve-2026-9029"}],"source":{"discovery":"BUG_BOUNTY"},"title":"Stored XSS via Geomap Panel Template Variable Attribution Injection","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"57da9224-a3e2-4646-9d0e-c4dc2e05e7da","assignerShortName":"GRAFANA","cveId":"CVE-2026-9029","datePublished":"2026-06-22T13:18:40.770Z","dateReserved":"2026-05-19T15:28:45.662Z","dateUpdated":"2026-06-23T03:55:44.583Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-22 14:17:55","lastModifiedDate":"2026-06-23 05:17:05","problem_types":[],"metrics":{"cvssMetricV31":[{"source":"security@grafana.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-22T00:00:00+00:00","id":"CVE-2026-9029","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"9029","Ordinal":"1","Title":"Stored XSS via Geomap Panel Template Variable Attribution Inject","CVE":"CVE-2026-9029","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"9029","Ordinal":"1","NoteData":"The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix","Type":"Description","Title":"Stored XSS via Geomap Panel Template Variable Attribution Inject"}]}}}