CVE-2025-41117

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-41117
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-41117.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-41117
Aliases
Downstream
Published
2026-02-12T09:16:07.630Z
Modified
2026-02-28T06:40:34.575663Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.

Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.

References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Introduced
20051fb1fc604fc54aae76356da1c14612af41d0
Fixed
df2547decd50d14defa20ec9ce1c2e2bc9462d72
Introduced
92f1fba9b4b6700328e99e97328d6639df8ddc3d
Fixed
5b73bf4c34ee8f0ffef915410416bc395e72b2d3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-41117.json"