Moderate severityNVD Advisory· Published Feb 12, 2026· Updated Apr 24, 2026
XSS in Grafana Explore stack trace
CVE-2025-41117
Description
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.
Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafanaGo | >= 12.2.0, < 12.2.5 | 12.2.5 |
github.com/grafana/grafanaGo | >= 12.3.0, < 12.3.3 | 12.3.3 |
Affected products
12- osv-coords10 versionspkg:apk/chainguard/grafana-fips-11.6pkg:apk/chainguard/grafana-fips-12.0pkg:apk/chainguard/grafana-fips-12.1pkg:apk/chainguard/grafana-fips-12.2pkg:apk/chainguard/grafana-fips-12.3pkg:apk/chainguard/grafana-fips-12.4pkg:apk/chainguard/grafana-fips-13.0pkg:apk/chainguard/grafana-fips-13.1pkg:bitnami/grafanapkg:golang/github.com/grafana/grafana
< 11.6.16-r1+ 9 more
- (no CPE)range: < 11.6.16-r1
- (no CPE)range: < 12.0.10-r6
- (no CPE)range: < 12.1.10.01-r3
- (no CPE)range: < 12.2.10-r0
- (no CPE)range: < 12.3.8-r3
- (no CPE)range: < 12.4.5-r2
- (no CPE)range: < 13.0.3-r3
- (no CPE)range: < 13.1.0-r0
- (no CPE)range: >= 12.2.0, < 12.2.4
- (no CPE)range: >= 12.2.0, < 12.2.5
- Range: 12.2.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-cqp7-wf4c-3xgcghsaADVISORY
- grafana.com/security/security-advisories/cve-2025-41117mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2025-41117ghsaADVISORY
- github.com/grafana/grafana/commit/4f624a5a01404da45d60063ae1ee2f184818cd42ghsaWEB
- github.com/grafana/grafana/commit/8dfa6446942873d76cd94c63a2d6b71a25e880daghsaWEB
- github.com/grafana/grafana/commit/ecff0d88680cea4ad32709cb3b94b790a7f58d25ghsaWEB
- grafana.com/security/security-advisories/CVE-2025-41117ghsaWEB
News mentions
0No linked articles in our index yet.