Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 10 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix | A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard (stored cross-site scripting). |
| Title | Stored XSS via Geomap Panel Template Variable Attribution Injection | Stored XSS in the Geomap panel tile-layer attribution |
Wed, 24 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Grafana
Grafana grafana |
|
| Vendors & Products |
Grafana
Grafana grafana |
Mon, 22 Jun 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 22 Jun 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-79 |
Mon, 22 Jun 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix | |
| Title | Stored XSS via Geomap Panel Template Variable Attribution Injection | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GRAFANA
Published:
Updated: 2026-07-10T18:44:40.804Z
Reserved: 2026-05-19T15:28:45.662Z
Link: CVE-2026-9029
Updated: 2026-06-22T15:43:36.121Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-24T20:15:07Z