Home
MEDIUM: 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:LDefault status
unaffected
12.4.0 (semver)
affected
13.0.0 (semver)
affected
Description
A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard (stored cross-site scripting).
Problem types
Product status
12.4.0 (semver)
13.0.0 (semver)
Credits
avamost369 (Researcher)
References
grafana.com/security/security-advisories/cve-2026-8595