Critical severity9.9OSV Advisory· Published Oct 9, 2025· Updated Apr 15, 2026
CVE-2025-11539
CVE-2025-11539
Description
Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process.
Instances are vulnerable if:
1. The default token ("authToken") is not changed, or is known to the attacker. 2. The attacker can reach the image renderer endpoint. This issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3v1.0.0, v1.0.1, v1.0.10, …+ 1 more
- (no CPE)range: v1.0.0, v1.0.1, v1.0.10, …
- (no CPE)range: <=4.0.16
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.