Back to overview

CVE-2026-8595

MEDIUM
6.8
CVSS 3.1
Description
A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard (stored cross-site scripting).

Metadata

CVE ID
CVE-2026-8595
State
PUBLISHED
Assigner
GRAFANA
Reserved
2026-05-14 12:50 UTC
Published
2026-07-10 14:59 UTC
Last updated
2026-07-10 18:44 UTC
Primary CWE
CWE-79
CWE-79
Vendor / Product
Grafana / Grafana OSS
Sources
cve.org  ·  NVD

Severity & Metrics

6.8 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Grafana Grafana OSS 12.4.0 ≤ 12.4.3, 13.0.0 ≤ 13.0.1
Weakness (CWE)
CWESourceDescription
CWE-79 cna CWE-79
CWE-79 adp CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.8 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Back to overview