CVE-2025-41117
MEDIUMGrafana 12.2.0-12.2.4 - Stored Cross-Site Scripting in Explore Traces View
Title source: llmDescription
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
References (2)
Core 2
Core References
Broken Link vendor-advisory
https://grafana.com/security/security-advisories/cve-2025-41117
Various Sources
https://grafana.com/security/security-advisories/CVE-2025-41117
Scores
CVSS v3
6.8
EPSS
0.0026
EPSS Percentile
17.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (15)
grafana/grafana
12.2.0
grafana/grafana
12.2.1 (2 CPE variants)
grafana/grafana
12.2.2
grafana/grafana
12.2.3 (2 CPE variants)
grafana/grafana
12.2.4 (3 CPE variants)
grafana/grafana
12.3.0
grafana/grafana
12.3.1 (2 CPE variants)
grafana/grafana
12.3.2 (3 CPE variants)
grafana/grafana
12.2.0 - 12.2.4
grafana/grafana
12.2.0 - 12.2.5Go
... and 5 more
Published
Feb 12, 2026
Tracked Since
Feb 18, 2026