CVE-2025-2703

MEDIUM6.8EPSS 0.04%

Published: 4/25/2025Modified: 6/11/2025

Description

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.

Affected packages (1)

Bitnami/grafana>= 11.2.0, < 11.5.3, >= 11.6.0, < 11.6.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

References (3)

WEBhttps://grafana.com/security/security-advisories/cve-2025-2703
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-2703
WEBhttps://www.sonarsource.com/blog/data-in-danger-detecting-xss-in-grafana-cve-2025-2703/