← Back
2026-06-22 13:18CVE-2026-9029GRAFANA
PUBLISHED5.2

Stored XSS via Geomap Panel Template Variable Attribution Injection

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

Affected products

Grafana

Grafana OSS

12.4.0 - AFFECTED

References

grafana.com

https://grafana.com/security/security-advisories/cve-2026-9029

vendor-advisory

GitHub Security Advisories

GHSA-9g84-39mm-q4p3

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug....

https://github.com/advisories/GHSA-9g84-39mm-q4p3

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-9029

grafana.com

https://grafana.com/security/security-advisories/cve-2026-9029

github.com

https://github.com/advisories/GHSA-9g84-39mm-q4p3

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-9029
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-9029",
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "dateUpdated": "2026-06-22T13:18:40.770Z",
    "dateReserved": "2026-05-19T15:28:45.662Z",
    "datePublished": "2026-06-22T13:18:40.770Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA",
        "dateUpdated": "2026-06-22T13:18:40.770Z"
      },
      "datePublic": "2026-05-22T14:46:29.694Z",
      "title": "Stored XSS via Geomap Panel Template Variable Attribution Injection",
      "descriptions": [
        {
          "lang": "en",
          "value": "The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix"
        }
      ],
      "affected": [
        {
          "vendor": "Grafana",
          "product": "Grafana OSS",
          "platforms": [
            "OnPrem"
          ],
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "12.4.0",
              "status": "affected",
              "versionType": "semver"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://grafana.com/security/security-advisories/cve-2026-9029",
          "tags": [
            "vendor-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "baseScore": 7.3,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "trailerb18 (Researcher)",
          "type": "finder"
        }
      ]
    }
  }
}