CVE-2026-8595
Received Received - Intake

Stored XSS in Grafana Dashboard TableNG Panels

Vulnerability report for CVE-2026-8595, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Grafana Labs

Description

A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard (stored cross-site scripting).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
grafana grafana to 13.0.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-8595 is a stored cross-site scripting (XSS) vulnerability in Grafana's table panel (TableNG).

A user with Editor permissions can create a dashboard containing a malicious field name that executes as a script in the browsers of anyone who views that dashboard.

Impact Analysis

This vulnerability can lead to unauthorized script execution in the browsers of users who view the malicious dashboard.

As a result, it could compromise user sessions or data integrity, potentially allowing attackers to steal information or perform actions on behalf of the user.

Mitigation Strategies

To mitigate this vulnerability, users are advised to upgrade Grafana to a fixed version. Specifically, upgrade to version 12.4.4 or later, or 13.0.2 or later, where the stored cross-site scripting issue in the table panel (TableNG) has been resolved.

Compliance Impact

This vulnerability allows unauthorized script execution in the browsers of users viewing a malicious dashboard, which could lead to compromised user sessions or data integrity.

Such unauthorized access or data compromise may impact compliance with standards and regulations like GDPR or HIPAA, which require protection of user data and secure handling of personal information.

Therefore, if exploited, this vulnerability could result in violations of these regulations due to potential data breaches or unauthorized access.

Detection Guidance

This vulnerability involves a stored cross-site scripting (XSS) attack through a malicious field name in Grafana dashboards created by users with Editor permissions. Detection typically involves inspecting Grafana dashboards for suspicious or unexpected script content in table panel field names.

Since the vulnerability manifests in the browser when viewing dashboards, network detection might be limited. However, you can check your Grafana instance version to see if it is vulnerable.

Suggested commands to detect potentially vulnerable Grafana versions:

  • Check Grafana version via API: curl -s http://<grafana-server>/api/health | grep version
  • Check Grafana version via CLI or installed package manager, e.g., grafana-server -v

To detect malicious dashboards, manual inspection or automated scripts to parse dashboard JSON for suspicious script tags or unusual field names in TableNG panels would be necessary, but no specific commands are provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8595. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart