Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
Grafana Cubism Panel Allows Malicious Code Execution
CVE-2026-32117
Summary
The Grafana Cubism Panel plugin, used to display interactive charts, has a security flaw that allows a malicious dashboard editor to inject code that executes when users interact with the chart. This could allow the attacker to take control of a user's browser. To protect your dashboard, update the Grafana Cubism Panel plugin to version 0.1.3 or later.
Original title
The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / ...
Original description
The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor privileges can set the link to a javascript: URI; when any Viewer drag-zooms on the panel, the payload executes in the Grafana origin.
nvd CVSS3.1
7.6
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026