CVE-2026-9029 - Vulnerability Details - OpenCVE

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Grafana	Grafana

No data.

No data.

References

Link	Providers
https://grafana.com/security/security-advisories/cve-2026-9029

History

Wed, 24 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Grafana Grafana grafana
Vendors & Products		Grafana Grafana grafana

Mon, 22 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 22 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79

Mon, 22 Jun 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
Title		Stored XSS via Geomap Panel Template Variable Attribution Injection
References		https://grafana.com/security/security-advisories/cve-2026-9029
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published: 2026-06-22T13:18:40.770Z

Updated: 2026-06-24T15:55:58.092Z

Reserved: 2026-05-19T15:28:45.662Z

Link: CVE-2026-9029

Vulnrichment

Updated: 2026-06-22T15:43:36.121Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9029", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-05-19T15:28:45.662Z", "datePublished": "2026-06-22T13:18:40.770Z", "dateUpdated": "2026-06-24T15:55:58.092Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-06-22T13:18:40.770Z"}, "datePublic": "2026-05-22T14:46:29.694Z", "title": "Stored XSS via Geomap Panel Template Variable Attribution Injection", "descriptions": [{"lang": "en", "value": "The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix"}], "affected": [{"vendor": "Grafana", "product": "Grafana OSS", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "12.4.0", "status": "affected", "versionType": "semver"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-9029", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}}], "credits": [{"lang": "en", "value": "trailerb18 (Researcher)", "type": "finder"}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T03:55:45.644989Z", "id": "CVE-2026-9029", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T15:55:58.092Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-9029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-23T03:55:45.644989Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T15:43:36.121Z"}}], "cna": {"title": "Stored XSS via Geomap Panel Template Variable Attribution Injection", "source": {"discovery": "BUG_BOUNTY"}, "credits": [{"lang": "en", "type": "finder", "value": "trailerb18 (Researcher)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}}], "affected": [{"vendor": "Grafana", "product": "Grafana OSS", "versions": [{"status": "affected", "version": "12.4.0", "versionType": "semver"}], "platforms": ["OnPrem"], "defaultStatus": "unaffected"}], "datePublic": "2026-05-22T14:46:29.694Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-9029", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix"}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-06-22T13:18:40.770Z"}}}, "cveMetadata": {"cveId": "CVE-2026-9029", "state": "PUBLISHED", "dateUpdated": "2026-06-24T15:55:58.092Z", "dateReserved": "2026-05-19T15:28:45.662Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-06-22T13:18:40.770Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}