CVE-2025-41117 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-41117 PUBLISHED

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.

EPSS 0.01% · 1.6th percentile

Risk Scores

EPSS Score

0.01%

1.6th percentile

Affected Products

Vendor	Product	Versions
Bitnami	grafana	12.2.0, 12.3.0
Bitnami	grafana	12.2.0, 12.3.0

Timeline

Feb 12, 2026 CVE Published
Feb 12, 2026 EPSS Score
Feb 13, 2026 EPSS Score
Feb 13, 2026 PoC Published
Feb 15, 2026 EPSS Score
Feb 15, 2026 PoC Published
Feb 16, 2026 EPSS Score
Feb 18, 2026 EPSS Score
Feb 19, 2026 EPSS Score
Feb 20, 2026 EPSS Score
Feb 20, 2026 CVE Updated
Feb 22, 2026 EPSS Score

References

Open in Interactive Console →