Grafana Geomap Panel XSS via sanitize-then-interpolate bug
CVE-2026-9029 Published on June 22, 2026

Stored XSS via Geomap Panel Template Variable Attribution Injection
The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

Vendor Advisory NVD

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-9029 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2026-9029

Want to know whenever a new CVE is published for Grafana Labs Grafana? stack.watch will email you.

 

Affected Versions

Grafana OSS Version 12.4.0 is affected by CVE-2026-9029