CVE-2025-41117

Medium CVSS: 6.8

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.

Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.

Vendor

Grafana

Product

Grafana

CWE

CWE-79

Yayın Tarihi

2026-02-12 09:16:07

Güncelleme

2026-02-26 22:20:42

Source Identifier

security@grafana.com

KEV Date Added

Kategoriler

CWE-79 Grafana MEDIUM Grafana 2026

Referanslar

https://grafana.com/security/security-advisories/cve-2025-41117

Benzer Kayıtlar

Medium

CVE-2026-27877

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being u…

Medium

CVE-2026-27879

A resample query can be used to trigger out-of-memory crashes in Grafana.

High

CVE-2026-27880

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory cra…

Medium

CVE-2026-28375

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

Critical

CVE-2026-27876

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impac…

High

CVE-2026-28377

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, p…