CVE-2025-41117 PUBLISHED

XSS in Grafana Explore stack trace

Assigner: GRAFANA
Reserved: 16.04.2025 Published: 12.02.2026 Updated: 12.02.2026

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.

Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS Score: 6.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Grafana
Product	grafana/grafana
Versions	Default: unaffected affected from 12.2.0 to 12.2.4+security-01 (excl.) affected from 12.3.0 to 12.3.2+security-01 (excl.)

Vendor	Grafana
Product	grafana/grafana-enterprise
Versions	Default: unaffected affected from 12.2.0 to 12.2.4+security-01 (excl.) affected from 12.3.0 to 12.3.2+security-01 (excl.)

References

https://grafana.com/security/security-advisories/cve-2025-41117