← Back to CVEs
CVE-2025-41117
MEDIUM6.8
Description
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
CVE Details
CVSS v3.1 Score6.8
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionREQUIRED
Published2/12/2026
Last Modified2/26/2026
Sourcenvd
Honeypot Sightings0
Affected Products
grafana:grafana
Weaknesses (CWE)
CWE-79CWE-79
References
https://grafana.com/security/security-advisories/cve-2025-41117(security@grafana.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.