CVE-2025-11539

CRITICAL LAB

Grafana Image Renderer 1.0.0-4.0.16 - Remote Code Execution via CSV Endpoint File Path Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-11539. PoCs published by exploitintel.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2025-11539, demonstrating arbitrary file write and RCE in Grafana Image Renderer v4.0.16 via path traversal in the `/render` and `/render/csv` endpoints. The PoCs include detailed technical analysis, lab setup, and multiple attack vectors.

Description

Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process. Instances are vulnerable if: 1. The default token ("authToken") is not changed, or is known to the attacker. 2. The attacker can reach the image renderer endpoint. This issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-11539

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2025-11539, demonstrating arbitrary file write and RCE in Grafana Image Renderer v4.0.16 via path traversal in the `/render` and `/render/csv` endpoints. The PoCs include detailed technical analysis, lab setup, and multiple attack vectors.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Grafana Image Renderer v4.0.16

Auth required

Prerequisites: access to Grafana Image Renderer endpoint · default authentication token ('-')

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 02, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources vendor-advisory

https://grafana.com/security/security-advisories/cve-2025-11539/

Release Notes patch

https://github.com/grafana/grafana-image-renderer/releases/tag/v4.0.17

Related Analysis

72-Hour Stress Test

Scores

CVSS v3 9.9

EPSS 0.0058

EPSS Percentile 42.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

EIP LAB

vulnerable docker pull ghcr.io/exploitintel/cve-2025-11539-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-94

Status published

Products (1)

Grafana/grafana-image-renderer 1.0.0 - 4.0.16

Published Oct 09, 2025

Tracked Since Feb 18, 2026