CVE-2025-2703 — Cross-site Scripting in Grafana

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

0.1%

top 82.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Grafana Grafana Enterprise

Timeline

PublishedApr 23

Description

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:LExploitability: 2.1 | Impact: 4.7

Affected Packages2 packages

▶CVEListV5grafana/grafana11.6.0 — 11.6.0+security-01+4

▶CVEListV5grafana/grafana_enterprise11.6.0 — 11.6.0+security-01+4

🔴Vulnerability Details

CVEList

CVE-2025-2703: The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability↗2025-04-23

▶

GHSA

GHSA-p2mq-5mvf-j4j6: The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability↗2025-04-23

▶

📋Vendor Advisories

Red Hat

grafana: Cross-Site Scripting in Grafana XY Chart Panel↗2025-04-23

▶