CVE-2025-11539

CRITICAL LAB

Grafana Image Renderer - RCE

Title source: llm

Description

Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process. Instances are vulnerable if: 1. The default token ("authToken") is not changed, or is known to the attacker. 2. The attacker can reach the image renderer endpoint. This issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-11539

View Code ZIP pw:eip

References (2)

[Various Sources] https://grafana.com/security/security-advisories/cve-2025-11539/

[Release Notes] https://github.com/grafana/grafana-image-renderer/releases/tag/v4.0.17

Related Analysis

72-Hour Stress Test

Scores

CVSS v3 9.9

EPSS 0.0030

EPSS Percentile 53.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Lab Environment

EIP LAB

Lab screenshot

vulnerable docker pull ghcr.io/exploitintel/cve-2025-11539-vulnerable:latest

View in Library GitHub

COMMUNITY

docker pull grafana/grafana:11.6.0

docker pull ghcr.io/exploitintel/cve-2025-11539-vulnerable:latest

https://github.com/exploitintel/eip-pocs-and-cves

View in Library

Details

CWE

CWE-94

Status published

Products (1)

Grafana/grafana-image-renderer 1.0.0 - 4.0.16

Published Oct 09, 2025

Tracked Since Feb 18, 2026