CVE-2026-9029

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
Configurations

Configuration 1 (hide)

cpe:2.3:a:grafana:grafana:12.4.0:*:*:*:-:*:*:*

History

30 Jun 2026, 15:28

Type Values Removed Values Added
References () https://grafana.com/security/security-advisories/cve-2026-9029 - () https://grafana.com/security/security-advisories/cve-2026-9029 - Broken Link
CPE cpe:2.3:a:grafana:grafana:12.4.0:*:*:*:-:*:*:*
First Time Grafana
Grafana grafana

24 Jun 2026, 17:17

Type Values Removed Values Added
CWE CWE-79

22 Jun 2026, 14:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-22 14:17

Updated : 2026-06-30 15:28


NVD link : CVE-2026-9029

Mitre link : CVE-2026-9029

CVE.ORG link : CVE-2026-9029


JSON object : View

Products Affected

grafana

  • grafana
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')