Cross-site scripting in Grafana - CVE-2026-9029
Published: July 10, 2026
Grafana
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in the victim's browser.
The vulnerability exists due to stored cross-site scripting in the Geomap panel tile-layer attribution field when rendering a dashboard containing a crafted template variable. A remote user can place a malicious script in the attribution field to execute arbitrary script in the victim's browser.
User interaction is required to view the affected dashboard.