CVE-2026-8595 PUBLISHED

Stored XSS in the table panel (TableNG)

Assigner: GRAFANA
Reserved: 14.05.2026 Published: 10.07.2026 Updated: 10.07.2026

A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard (stored cross-site scripting).

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
CVSS Score: 6.8

Product Status

Vendor Grafana
Product Grafana OSS
Versions Default: unaffected
  • affected from 12.4.0 to 12.4.3 (incl.)
  • affected from 13.0.0 to 13.0.1 (incl.)

Credits

  • avamost369 (Researcher) finder

References

Problem Types

  • CWE-79 CWE