The grafanacubism-panel plugin for Grafana allows an editor to supply a URL that is passed directly to window.location.assign() or window.open() without scheme validation during a panel zoom action, enabling the injection of a javascript: URI that is executed in the Grafana domain when any viewer drags‑zooms the panel, resulting in stored cross‑site scripting (CWE‑79). An attacker can run arbitrary JavaScript in the context of the Grafana UI, potentially accessing session cookies, making authenticated API requests or modifying page content.

Affected vendors and products are listed as ekacnet:grafanacubism-panel. The vulnerability applies to all releases of the plugin dated 0.1.2 and earlier, regardless of Grafana major version. Users deploying this 0.1.2‑level plugin must assess whether the zoom‑link feature is active and whether they assign editor roles to untrusted accounts.

The CVSS score of 7.6 indicates a high severity. EPSS is below 1%, suggesting low current exploitation probability, and the vulnerability is not catalogued in CISA's Known Exploited Vulnerabilities list. The attack requires an attacker who already has dashboard‑editor privileges; the exploit flows from the editor setting a javascript: link to a viewer dragging‑zooming the panel. Users with broader view access could eventually suffer impact if an editor misconfigures the plugin.