CVE-2019-13068

MEDIUM

Grafana < 6.2.5 - Cross-Site Scripting via Panel Drilldown Link Title or URL Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-13068. PoCs published by SimranJeet Singh.

AI-analyzed exploit summary This is a writeup describing an HTML injection vulnerability in Grafana <=6.2.4, where the Title or url field in panel drilldown links can be exploited to inject arbitrary HTML. The payload example demonstrates basic HTML injection but does not include executable exploit code.

Description

public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field).

Exploits (1)

exploitdb WRITEUP VERIFIED
by SimranJeet Singh · textwebappstypescript
https://www.exploit-db.com/exploits/51073

This is a writeup describing an HTML injection vulnerability in Grafana <=6.2.4, where the Title or url field in panel drilldown links can be exploited to inject arbitrary HTML. The payload example demonstrates basic HTML injection but does not include executable exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Grafana <=6.2.4
Auth required
Prerequisites: Access to Grafana panel configuration with drilldown links
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 5.4
EPSS 0.0484
EPSS Percentile 89.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
grafana/grafana < 6.2.5
grafana/grafana 0 - 6.2.5Go
Published Jun 30, 2019
Tracked Since Feb 18, 2026