CVE-2025-2703

Description

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

Affected products

Grafana / Grafana11.6.0 – 11.6.0+security-01
Grafana / Grafana11.5.0 – 11.5.3+security-01
Grafana / Grafana11.4.0 – 11.4.3+security-01
Grafana / Grafana11.3.0 – 11.3.5+security-01
Grafana / Grafana11.2.0 – 11.2.8+security-01
Grafana / Grafana Enterprise11.6.0 – 11.6.0+security-01
Grafana / Grafana Enterprise11.5.0 – 11.5.3+security-01
Grafana / Grafana Enterprise11.4.0 – 11.4.3+security-01
Grafana / Grafana Enterprise11.3.0 – 11.3.5+security-01
Grafana / Grafana Enterprise11.2.0 – 11.2.8+security-01

References

VENDOR_ADVISORYhttps://grafana.com/security/security-advisories/cve-2025-2703
MISChttps://www.sonarsource.com/blog/data-in-danger-detecting-xss-in-grafana-cve-2025-2703/