CVE-2026-32117
CVE-2026-32117
7.6
HighPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- Required
- Scope
- Changed
- Confidentiality
- High
- Integrity
- Low
- Availability
- None
Description
The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor privileges can set the link to a javascript: URI; when any Viewer drag-zooms on the panel, the payload executes in the Grafana origin.
References
security-advisories@github.com
https://github.com/ekacnet/grafanacubism-panel/commit/b79cbf7e5eb3225bb204bcef274e15e6b19d9926security-advisories@github.com
https://github.com/ekacnet/grafanacubism-panel/security/advisories/GHSA-q6fh-6m3m-5948