CVE-2026-9029

Stored XSS via Geomap Panel Template Variable Attribution Injection

CVSS 7.3 HIGHEPSS 0.3%CWE-79

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

22 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Affected products

Grafana · Grafana OSS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://grafana.com/security/security-advisories/cve-2026-9029