CVE-2025-41117

Published Feb 12, 2026

Last updated a month ago

CVSS medium 6.8
Grafana

Overview

Description
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
Source
security@grafana.com
NVD status
Modified
Products
grafana

Risk scores

CVSS 3.1

Type
Primary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

nvd@nist.gov
CWE-79
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-79

Social media

Hype score
Not currently trending

  1. CVE-2025-41117 Cross-Site Scripting in Grafana Explore Traces via Jaeger HTTP API Datasource https://t.co/EL0NpJgKcM

    @VulmonFeeds

    12 Feb 2026

    35 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-41117 Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScrip… https://t.co/JcM4IjjfGY

    @CVEnew

    12 Feb 2026

    334 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-41117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits in the open-source repo. That’s at least 1 hour early. PoCs and more at h

    @spaceraccoonsec

    11 Feb 2026

    9552 Impressions

    23 Retweets

    188 Likes

    84 Bookmarks

    0 Replies

    0 Quotes

  4. Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-41117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits in the open-source repo. That’s at least 1 hour head start. PoCs and more

    @spaceraccoonsec

    11 Feb 2026

    881 Impressions

    0 Retweets

    15 Likes

    2 Bookmarks

    1 Reply

    1 Quote

Configurations

Related CVEs

  1. A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked.CVE-2026-21725
  2. Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.CVE-2026-21722
  3. Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.CVE-2026-21720
  4. SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to trueCVE-2025-41115
  5. The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to version 2.4.0, a malicious actor with Editor privileges can escalate their privileges to Administrator and perform arbitrary administrative actions. This is possible because the plugin allows arbitrary JavaScript code injection in the [Layout] → [Link] → [URL] field. Version 2.4.0 contains a fix for the issue.CVE-2025-58746

References

Sources include official advisories and independent security research.