Cyber Resilience

CVE-2026-32117

High

Published: 11 March 2026

Published
11 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0002 3.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32117 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ekacnet Grafanacubism-Panel. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32117 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in the grafanacubism-panel plugin for Grafana. Versions 0.1.2 and earlier allow use of cubism.js in panels, but the zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() or window.open() without any scheme validation. Published on 2026-03-11, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), indicating network accessibility, low attack complexity, and potential for high confidentiality impact in a changed scope.

An attacker requires dashboard Editor privileges to exploit the issue by configuring the panel's zoom link as a javascript: URI containing a malicious payload. Exploitation occurs when any Viewer with access to the dashboard performs a drag-zoom interaction on the affected panel, triggering the payload to execute within the Grafana origin. This enables theft of sensitive data visible to the victim, such as session tokens or dashboard contents, due to the origin's trust context.

Mitigation details are provided in the plugin's GitHub security advisory (GHSA-q6fh-6m3m-5948) and the fixing commit (b79cbf7e5eb3225bb204bcef274e15e6b19d9926). Security practitioners should update the grafanacubism-panel plugin beyond version 0.1.2, verify dashboard configurations to remove malicious links, and restrict Editor privileges where possible to prevent setup of exploitable panels.

EU & UK References

Vulnerability details

The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor privileges can set the link…

more

to a javascript: URI; when any Viewer drag-zooms on the panel, the payload executes in the Grafana origin.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Stored XSS in Grafana web panel directly enables browser session hijacking (T1185) via javascript: URI execution and theft/use of web session cookies (T1539, T1550.004) for data exfiltration or impersonation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0601Shared CWE-79
CVE-2026-27196Shared CWE-79
CVE-2026-3879Shared CWE-79
CVE-2026-24836Shared CWE-79
CVE-2026-28754Shared CWE-79
CVE-2026-25306Shared CWE-79
CVE-2025-26573Shared CWE-79
CVE-2026-26022Shared CWE-79
CVE-2026-32277Shared CWE-79
CVE-2026-35035Shared CWE-79

Affected Assets

ekacnet
grafanacubism-panel
≤ 0.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely patching of the vulnerable grafanacubism-panel plugin beyond version 0.1.2, which adds scheme validation to the zoom-link handler.

prevent

Enforces validation of dashboard-editor-supplied URLs in the zoom-link handler to block javascript: URIs before they reach window.location.assign() or window.open().

prevent

Limits dashboard Editor privileges to trusted users only, reducing the attack surface for configuring malicious zoom links exploitable by Viewers.

References