Cyber Resilience

CVE-2026-9029

High

Published: 22 June 2026

Published
22 June 2026
Modified
23 June 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0030 21.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-9029 is a high-severity an unspecified weakness vulnerability in Grafana (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via…

more

element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Grafana
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References