CVE-2026-9029

Name: CVE-2026-9029
Creator: NVD / NIST
Published: 2026-06-22T14:17:55.8+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.3/10EPSS 0.30%

Last modified Jun 24, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

Metrics

CVSS 3.1

7.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS Probability

0.30%

21.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

References

https://grafana.com/security/security-advisories/cve-2026-9029

Timeline

Published: Jun 22, 2026
Last Modified: Jun 24, 2026
Status: Awaiting Analysis

Are you affected by CVE-2026-9029?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST