CVE-2026-9029

Source
https://cve.org/CVERecord?id=CVE-2026-9029
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9029.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-9029
Aliases
Downstream
Published
2026-06-22T13:18:40.770Z
Modified
2026-07-08T08:09:50.441975704Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Stored XSS via Geomap Panel Template Variable Attribution Injection
Details

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "12.4.0"
                },
                {
                    "last_affected": "12.4.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9029.json",
    "cna_assigner": "GRAFANA"
}
References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:grafana:grafana:12.4.0:*:*:*:-:*:*:*",
    "extracted_events": [
        {
            "introduced": "12.4.0"
        },
        {
            "last_affected": "12.4.0"
        }
    ]
}

Affected versions

12.*
12.4.0
v12.*
v12.4.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9029.json"