cbcvebase.
CVE-2025-2703
published 2025-04-23

CVE-2025-2703: The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it…

PriorityP339medium6.8CVSS 3.1
AVNACLPRLUIRSUCHILAL
EPSS
10.61%
95.2th percentile
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.

Affected

10 ranges
VendorProductVersion rangeFixed in
grafanagrafana>= 11.2.0 < 11.2.8+security-0111.2.8+security-01
grafanagrafana>= 11.3.0 < 11.3.5+security-0111.3.5+security-01
grafanagrafana>= 11.4.0 < 11.4.3+security-0111.4.3+security-01
grafanagrafana>= 11.5.0 < 11.5.3+security-0111.5.3+security-01
grafanagrafana>= 11.6.0 < 11.6.0+security-0111.6.0+security-01
grafanagrafana_enterprise>= 11.2.0 < 11.2.8+security-0111.2.8+security-01
grafanagrafana_enterprise>= 11.3.0 < 11.3.5+security-0111.3.5+security-01
grafanagrafana_enterprise>= 11.4.0 < 11.4.3+security-0111.4.3+security-01
grafanagrafana_enterprise>= 11.5.0 < 11.5.3+security-0111.5.3+security-01
grafanagrafana_enterprise>= 11.6.0 < 11.6.0+security-0111.6.0+security-01

CVSS provenance

nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.