Stored XSS via Geomap Panel Template Variable Attribution Injection

7.3 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Description

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

Basic Information

ID CVE-2026-9029

Source GRAFANA

Published Jun 22, 2026 at 13:18

Affected Product

Vendor Grafana

Product Grafana OSS

Version 12.4.0

Affected Versions Grafana Grafana OSS 12.4.0

References

grafana.com /security/security-advisories/cve-2026-9029

{
    "lastseen": "",
    "description": "The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix",
    "published": "2026-06-22T13:18:40.770Z",
    "modified": "2026-06-22T13:18:40.770Z",
    "type": "cve",
    "title": "Stored XSS via Geomap Panel Template Variable Attribution Injection",
    "source": "GRAFANA",
    "references": "https://grafana.com/security/security-advisories/cve-2026-9029",
    "id": "CVE-2026-9029",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Grafana Grafana OSS 12.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Grafana OSS",
    "version": "12.4.0",
    "vendor": "Grafana",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Stored XSS via Geomap Panel Template Variable Attribution Injection_CVE-2026-9029

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply