AI description
CVE-2025-41117 is a remote code execution vulnerability identified in `streamlit-geospatial`, a Streamlit multipage application designed for geospatial uses. The flaw exists in the `pages/10_🌍_Earth_Engine_Datasets.py` file, specifically prior to commit `c4f81d9616d40c60584e36abb15300853a66e489`. The vulnerability arises because the `vis_params` variable on line 115 of the affected file accepts user input, which is subsequently processed by the `eval()` function on line 126. This improper handling of user-supplied data within the `eval()` function allows for remote code execution. The issue has been addressed by commit `c4f81d9616d40c60584e36abb15300853a66e489`.
- Description
- Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
- Source
- security@grafana.com
- NVD status
- Modified
- Products
- grafana
CVSS 3.1
- Type
- Primary
- Base score
- 6.1
- Impact score
- 2.7
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- Hype score
- Not currently trending
CVE-2025-41117 Cross-Site Scripting in Grafana Explore Traces via Jaeger HTTP API Datasource https://t.co/EL0NpJgKcM
@VulmonFeeds
12 Feb 2026
35 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-41117 Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScrip… https://t.co/JcM4IjjfGY
@CVEnew
12 Feb 2026
334 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-41117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits in the open-source repo. That’s at least 1 hour early. PoCs and more at h
@spaceraccoonsec
11 Feb 2026
9552 Impressions
23 Retweets
188 Likes
84 Bookmarks
0 Replies
0 Quotes
Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-41117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits in the open-source repo. That’s at least 1 hour head start. PoCs and more
@spaceraccoonsec
11 Feb 2026
881 Impressions
0 Retweets
15 Likes
2 Bookmarks
1 Reply
1 Quote
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C2BDFDFB-565D-4E2C-B32F-E4B66630CA19",
"versionEndExcluding": "12.2.4",
"versionStartIncluding": "12.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D8F9839-C15D-496A-8B0C-92D7C7916BFB",
"versionEndExcluding": "12.3.2",
"versionStartIncluding": "12.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:12.2.4:-:*:*:*:*:*:*",
"matchCriteriaId": "4CF2D10C-CEE9-4D8C-9D46-F38DE3540FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:12.3.2:-:*:*:*:*:*:*",
"matchCriteriaId": "63FB712A-04AC-42FD-AC3C-1384932B662E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]