CVE-2026-9029
Received Received - Intake
XYZ Tile Layer XSS in Grafana Geomap Panel

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Grafana Labs

Description
The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-9029
EUVD
EUVD-2026-38243
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
grafana grafana to 2023-0507 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the geomap panel's XYZ tile layer due to an ordering bug in how text sanitization and interpolation are handled. Specifically, the function sanitizeTextPanelContent() is applied to the raw template string before the variable substitution occurs via getTemplateSrv().replace(). Because the substitution uses a glob format without HTML escaping, malicious code can be injected. This code is then passed to OpenLayers through element.innerHTML, allowing an Editor to set a textbox variable's default value to an XSS payload. This payload executes for every user who opens the dashboard, effectively bypassing a previous fix (CVE-2023-0507).

Impact Analysis

This vulnerability can lead to a Cross-Site Scripting (XSS) attack, where an attacker can execute malicious scripts in the context of the affected application. Since the payload executes for every user who opens the dashboard, it can compromise user data, steal session tokens, or perform unauthorized actions on behalf of users. The CVSS score of 7.3 indicates a high severity with potential for significant confidentiality and integrity impact, although availability is not affected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9029. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart