CVE-2025-41117

MEDIUM6.8EPSS 0.02%

Grafana has a Cross-site Scripting issue

Published: 2/12/2026Modified: 5/11/2026

Also known as:GHSA-cqp7-wf4c-3xgcBIT-grafana-2025-41117

Description

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.

Affected packages (2)

Bitnami/grafana>= 12.2.0, < 12.2.4, >= 12.3.0, < 12.3.2
Go/github.com/grafana/grafana>= 12.2.0, < 12.2.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References (7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-41117
PATCHhttps://github.com/grafana/grafana
WEBhttps://github.com/grafana/grafana/commit/4f624a5a01404da45d60063ae1ee2f184818cd42
WEBhttps://github.com/grafana/grafana/commit/8dfa6446942873d76cd94c63a2d6b71a25e880da
WEBhttps://github.com/grafana/grafana/commit/ecff0d88680cea4ad32709cb3b94b790a7f58d25
WEBhttps://grafana.com/security/security-advisories/cve-2025-41117
WEBhttps://grafana.com/security/security-advisories/CVE-2025-41117