CVE-2025-2703

Summary

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability.

A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.

Affected Software

VendorProductVersion RangeStatus
GrafanaGrafana11.6.0 < 11.6.0+security-01affected
GrafanaGrafana11.5.0 < 11.5.3+security-01affected
GrafanaGrafana11.4.0 < 11.4.3+security-01affected
GrafanaGrafana11.3.0 < 11.3.5+security-01affected
GrafanaGrafana11.2.0 < 11.2.8+security-01affected
GrafanaGrafana Enterprise11.6.0 < 11.6.0+security-01affected
GrafanaGrafana Enterprise11.5.0 < 11.5.3+security-01affected
GrafanaGrafana Enterprise11.4.0 < 11.4.3+security-01affected
GrafanaGrafana Enterprise11.3.0 < 11.3.5+security-01affected
GrafanaGrafana Enterprise11.2.0 < 11.2.8+security-01affected

Weaknesses

  • CWE-79: CWE-79

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References