Description
A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard (stored cross-site scripting).
Published: 2026-06-22
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in Grafana OSS’s Geomap panel. A user with Editor permissions can insert a malicious script into the attribution field of an XYZ tile layer through a template variable. When any viewer loads the dashboard, the script executes in the viewer’s browser, exposing all subsequent viewers to client‑side code execution.

Affected Systems

Grafana OSS dashboards that use the geomap panel are affected. The CVE does not specify which exact releases contain the flaw, so any Grafana OSS version running the geomap panel without the patch is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.3 signals high severity, and the EPSS score of < 1% indicates that although the probability of exploitation is low, the vulnerability remains actionable because it is triggered by any user with Editor privileges. An attacker only needs to create or modify a template variable that populates the attribution field with a malicious payload. Once deployed, the stored XSS runs automatically for every subsequent viewer of the dashboard. This vulnerability is not listed in KEV.

Generated by OpenCVE AI on July 13, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued Grafana OSS patch that corrects the template sanitization ordering bug.
  • If the patch cannot be applied immediately, remove or disable the geomap panel from all dashboards to eliminate the attack surface.
  • Restrict the ability for users to set variable defaults by limiting Editor privileges or enforcing a policy that disallows default XSS payloads.

Generated by OpenCVE AI on July 13, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard (stored cross-site scripting).
Title Stored XSS via Geomap Panel Template Variable Attribution Injection Stored XSS in the Geomap panel tile-layer attribution

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Vendors & Products Grafana
Grafana grafana

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
Title Stored XSS via Geomap Panel Template Variable Attribution Injection
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-07-10T18:44:40.804Z

Reserved: 2026-05-19T15:28:45.662Z

Link: CVE-2026-9029

cve-icon Vulnrichment

Updated: 2026-06-22T15:43:36.121Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-13T06:00:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')