CVE-2026-9029
Modified Modified - Updated After Analysis

XYZ Tile Layer XSS in Grafana Geomap Panel

Vulnerability report for CVE-2026-9029, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-07-10

Assigner: Grafana Labs

Description

A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard (stored cross-site scripting).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-07-10
Generated
2026-07-12
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
grafana grafana 12.4.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the geomap panel's XYZ tile layer due to an ordering bug in how text sanitization and interpolation are handled. Specifically, the function sanitizeTextPanelContent() is applied to the raw template string before the variable substitution occurs via getTemplateSrv().replace(). Because the substitution uses a glob format without HTML escaping, malicious code can be injected. This code is then passed to OpenLayers through element.innerHTML, allowing an Editor to set a textbox variable's default value to an XSS payload. This payload executes for every user who opens the dashboard, effectively bypassing a previous fix (CVE-2023-0507).

Impact Analysis

This vulnerability can lead to a Cross-Site Scripting (XSS) attack, where an attacker can execute malicious scripts in the context of the affected application. Since the payload executes for every user who opens the dashboard, it can compromise user data, steal session tokens, or perform unauthorized actions on behalf of users. The CVSS score of 7.3 indicates a high severity with potential for significant confidentiality and integrity impact, although availability is not affected.

Compliance Impact

This vulnerability allows an attacker with Editor privileges to inject a cross-site scripting (XSS) payload that executes for every user who opens the affected dashboard. Such an XSS vulnerability can lead to unauthorized access to sensitive information, session hijacking, or other malicious actions that compromise data confidentiality and integrity.

Because of the potential for unauthorized data exposure and manipulation, this vulnerability could negatively impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system security.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9029. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart