CVE-2025-4123

high Grafana
CVSS v3 Base Score
7.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
EPSS Score
3.9%
Exploitation probability in 30 days
Top 12% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Confidentiality
High
Integrity
Low
Availability
Low
Published: May 22, 2025 (357 days ago)
Last Modified: April 29, 2026
Vendor: Grafana
Source: NVD

Description

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

CWE

CWE-79

Affected Products

grafana grafana

References

🔗 grafana.com 🔗 grafana.com 🔗 www.exploit-db.com