CVE-2018-1000816
Description
Grafana 5.2.4 and 5.3.0 contain a stored XSS vulnerability in the InfluxDB and Graphite query editors, allowing authenticated attackers to execute arbitrary JavaScript when a victim clicks the affected input field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Grafana 5.2.4 and 5.3.0 contain a stored XSS vulnerability in the InfluxDB and Graphite query editors, allowing authenticated attackers to execute arbitrary JavaScript when a victim clicks the affected input field.
Vulnerability
Grafana versions 5.2.4 and 5.3.0 are confirmed vulnerable to a cross-site scripting (XSS) flaw in the InfluxDB and Graphite query editors [2]. The vulnerability arises because user-supplied input in metric segments and SQL parts is not properly escaped before being rendered in the browser [1]. This allows an authenticated attacker to inject malicious JavaScript code into the query editor interface.
Exploitation
An attacker must be an authenticated user of the Grafana instance. The attacker inserts a crafted payload into the query editor's input field (e.g., metric name or SQL fragment). The payload is stored and later executed when another authenticated user (or the same user) clicks on that input field [2]. No additional privileges beyond authentication are required.
Impact
Successful exploitation leads to arbitrary JavaScript execution in the victim's browser within the context of the Grafana application. This can result in session hijacking, data exfiltration, or other actions performed on behalf of the victim user. The attack is limited to the browser session and does not directly affect the server.
Mitigation
The fix was implemented in pull request #13670 [1] and included in Grafana version 5.3.2 (unreleased at the time of the CVE) as noted in the changelog [4]. Users should upgrade to Grafana 5.3.2 or later. If upgrading is not immediately possible, administrators should restrict access to trusted users only, as the vulnerability requires an authenticated session. No workaround is documented.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafanaGo | < 5.3.2 | 5.3.2 |
Affected products
1Patches
1eabb04cec21dchangelog: add notes about closing #13667
1 file changed · +1 −0
CHANGELOG.md+1 −0 modified@@ -19,6 +19,7 @@ # 5.3.2 (unreleased) +* **InfluxDB/Graphite/Postgres**: Prevent cross site scripting (XSS) in query editor [#13667](https://github.com/grafana/grafana/issues/13667), thx [@svenklemm](https://github.com/svenklemm) * **Postgres**: Fix template variables error [#13692](https://github.com/grafana/grafana/issues/13692), thx [@svenklemm](https://github.com/svenklemm) * **Cloudwatch**: Fix service panic because of race conditions [#13674](https://github.com/grafana/grafana/issues/13674), thx [@mtanda](https://github.com/mtanda) * **Stackdriver/Cloudwatch**: Allow user to change unit in graph panel if cloudwatch/stackdriver datasource response doesn't include unit [#13718](https://github.com/grafana/grafana/issues/13718), thx [@mtanda](https://github.com/mtanda)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-x5fh-fvvr-892fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000816ghsaADVISORY
- github.com/grafana/grafana/commit/eabb04cec21dc323347da1aab7fcbf2a6e9dd121ghsaWEB
- github.com/grafana/grafana/issues/13667ghsax_refsource_MISCWEB
- github.com/grafana/grafana/pull/13670ghsaWEB
News mentions
0No linked articles in our index yet.