CVE-2026-9029 PUBLISHED

Stored XSS via Geomap Panel Template Variable Attribution Injection

Assigner: GRAFANA
Reserved: 19.05.2026 Published: 22.06.2026 Updated: 22.06.2026

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS Score: 7.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Grafana
Product	Grafana OSS
Versions	Default: unaffected Version 12.4.0 is affected

Credits

trailerb18 (Researcher) finder

References

https://grafana.com/security/security-advisories/cve-2026-9029