VDB
CISA-2025-2703
CISA-2025-2703
PUBLISHED
CVSS 6.8 MEDIUM
Reported by GRAFANA · Published April 23, 2025
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
Risk Scores
CVSS 3.1
6.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Grafana | Grafana | 11.6.0, 11.5.0, 11.4.0 |
| Grafana | Grafana Enterprise | 11.6.0, 11.5.0, 11.4.0 |
| Grafana | Grafana Enterprise | 11.2.0, 11.6.0, 11.5.0 |
| Grafana | Grafana | 11.6.0, 11.4.0, 11.3.0 |
Timeline
- Apr 23, 2025 CVE Published
- Jun 10, 2025 CVE Updated