CVE-2025-41117
medium
Grafana CVSS v3 Base Score
6.8
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 97% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
None
Published: February 12, 2026 (91 days ago)
Last Modified: April 24, 2026
Vendor: Grafana
Source: MITRE
Vulnerability Report
Generated by CyberWatcher
Description
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.
Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
Affected Products
Grafana grafana/grafanaGrafana grafana/grafana-enterprise