GHSA-vqph-p5vc-g644

Suggest an improvement
Source
https://github.com/advisories/GHSA-vqph-p5vc-g644
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-vqph-p5vc-g644/GHSA-vqph-p5vc-g644.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vqph-p5vc-g644
Aliases
Downstream
Published
2025-07-18T09:30:31Z
Modified
2025-07-29T19:44:38.342756Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L CVSS Calculator
Summary
Grafana is vulnerable to XSS attacks through open redirects and path traversal
Details

An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.

The open redirect can be chained with path traversal vulnerabilities to achieve XSS.

Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01

Database specific 
{
    "nvd_published_at": "2025-07-18T08:15:28Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-20T16:35:49Z"
}
References

Affected packages

Go / github.com/grafana/grafana

Package

Name
github.com/grafana/grafana
View open source insights on deps.dev
Purl
pkg:golang/github.com/grafana/grafana

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.2-0.20250521205822-0ba0b99665a9