The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
References
| Link | Resource |
|---|---|
| https://grafana.com/security/security-advisories/cve-2026-9029 | Broken Link |
Configurations
History
30 Jun 2026, 15:28
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://grafana.com/security/security-advisories/cve-2026-9029 - Broken Link | |
| CPE | cpe:2.3:a:grafana:grafana:12.4.0:*:*:*:-:*:*:* | |
| First Time |
Grafana
Grafana grafana |
24 Jun 2026, 17:17
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-79 |
22 Jun 2026, 14:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-22 14:17
Updated : 2026-06-30 15:28
NVD link : CVE-2026-9029
Mitre link : CVE-2026-9029
CVE.ORG link : CVE-2026-9029
JSON object : View
Products Affected
grafana
- grafana
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
