CVE-2026-9029 | The geomap panel's XYZ tile layer has a sanitize-then-interp… | CVSS 7.3 HIGH

Description

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

Metadata

CVE ID: CVE-2026-9029
State: PUBLISHED
Assigner: GRAFANA
Reserved: 2026-05-19 15:28 UTC
Published: 2026-06-22 13:18 UTC
Last updated: 2026-06-22 15:43 UTC
Vendor / Product: Grafana / Grafana OSS
Sources: cve.org · NVD

Severity & Metrics

7.3 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Grafana	Grafana OSS	OnPrem	12.4.0

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.3	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References (1)

https://grafana.com/security/security-advisories/cve-2026-9029