CVE-2025-58746

Published Sep 8, 2025

Last updated 9 hours ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-58746 refers to a critical vulnerability found in the Volkov Labs Business Links panel for Grafana. This vulnerability allows for privilege escalation through JavaScript code injection. An attacker with Editor privileges can inject malicious JavaScript code via the [Layout] → [Link] → [URL] field, potentially gaining Administrator access. CVE-2025-55746 is a vulnerability in Directus, a real-time API and App dashboard for managing SQL database content. It affects versions 10.8.0 to before 11.9.3. The vulnerability lies in the file update mechanism, allowing unauthenticated actors to modify existing files with arbitrary content or upload new files with arbitrary content and extensions. These changes won't be visible in the Directus UI.

Description: The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to version 2.4.0, a malicious actor with Editor privileges can escalate their privileges to Administrator and perform arbitrary administrative actions. This is possible because the plugin allows arbitrary JavaScript code injection in the [Layout] → [Link] → [URL] field. Version 2.4.0 contains a fix for the issue.
Source: security-advisories@github.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9
Impact score: 6
Exploitability score: 2.3
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security-advisories@github.com: CWE-79

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 17

References