CVE-2025-6023Cross-site Scripting in Grafana

CWE-79Cross-site ScriptingCWE-601Open Redirect8 documents6 sources
Severity
7.6HIGHNVD
EPSS
3.8%
top 11.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GrafanaGithub.com Grafana Grafana
Timeline
PublishedJul 18
Latest updateDec 30

Description

An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:LExploitability: 2.8 | Impact: 4.7

Affected Packages2 packages

CVEListV5grafana/grafana12.0.x12.0.2+security-01+4
Gogithub.com/grafana_grafana< 1.9.2-0.20250521205822-0ba0b99665a9

🔴Vulnerability Details

5
OSV
Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana2025-07-29
CVEList
CVE-2025-6023: An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks2025-07-18
GHSA
Grafana is vulnerable to XSS attacks through open redirects and path traversal2025-07-18
OSV
Grafana is vulnerable to XSS attacks through open redirects and path traversal2025-07-18
OSV
CVE-2025-6023: An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks2025-07-18

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Grafana Server-Side Open Redirect (CVE-2025-6023)2025-12-30

📋Vendor Advisories

1
Red Hat
grafana: Cross Site Scripting in Grafana2025-07-22
CVE-2025-6023 — Cross-site Scripting in Grafana | cvebase