CVE-2025-58746

CRITICAL

Grafana Business Links <2.4.0 - Privilege Escalation

Title source: llm
STIX 2.1

Description

The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to version 2.4.0, a malicious actor with Editor privileges can escalate their privileges to Administrator and perform arbitrary administrative actions. This is possible because the plugin allows arbitrary JavaScript code injection in the [Layout] → [Link] → [URL] field. Version 2.4.0 contains a fix for the issue.

Scores

CVSS v3 9.0
EPSS 0.0029
EPSS Percentile 20.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-79 CWE-83
Status published
Products (1)
VolkovLabs/business-links < 2.4.0
Published Sep 08, 2025
Tracked Since Feb 18, 2026