Impact
The vulnerability is a stored cross‑site scripting flaw in Grafana OSS’s Geomap panel. A user with Editor permissions can insert a malicious script into the attribution field of an XYZ tile layer through a template variable. When any viewer loads the dashboard, the script executes in the viewer’s browser, exposing all subsequent viewers to client‑side code execution.
Affected Systems
Grafana OSS dashboards that use the geomap panel are affected. The CVE does not specify which exact releases contain the flaw, so any Grafana OSS version running the geomap panel without the patch is potentially vulnerable.
Risk and Exploitability
The CVSS score of 7.3 signals high severity, and the EPSS score of < 1% indicates that although the probability of exploitation is low, the vulnerability remains actionable because it is triggered by any user with Editor privileges. An attacker only needs to create or modify a template variable that populates the attribution field with a malicious payload. Once deployed, the stored XSS runs automatically for every subsequent viewer of the dashboard. This vulnerability is not listed in KEV.
OpenCVE Enrichment