CVE
CVE-2026-32117
grafanacubism-panel : Stored XSS via javascript: URL in panel zoom link (Editor → Viewer)
The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor privileges can set the link to a javascript: URI; when any Viewer drag-zooms on the panel, the payload executes in the Grafana origin.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.6
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
C
H
U
-
Related Resources
No items found.
References
https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32117.json, https://github.com/ekacnet/grafanacubism-panel/security/advisories/GHSA-q6fh-6m3m-5948, https://nvd.nist.gov/vuln/detail/CVE-2026-32117, https://github.com/ekacnet/grafanacubism-panel/commit/b79cbf7e5eb3225bb204bcef274e15e6b19d9926
Basic Information
Ecosystem
