CVE Catalog

CVE-2026-9029

HighCVSS 7.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile - higher than 18% of all known CVEs

Summary

A vulnerability in the Geomap panel in Grafana allows a user with Editor permissions to inject a malicious script into the attribution field of an XYZ tile layer via a template variable. The script executes in the browser of any user viewing the affected dashboard (stored cross-site scripting).

Risk Assessment

An attacker can hijack user sessions, steal credentials, or spread malware within the organization, leading to data confidentiality and integrity breaches.

Recommendation

Immediately update Grafana to the patched version and restrict Editor permissions to trusted users only.

Original NVD description (English source)

A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard (stored cross-site scripting).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS