CVE-2025-2703

EUVD-2025-12232
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. 

A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
GRAFANACNA
6.8 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Common Weakness Enumeration
References
https://grafana.com/security/security-advisories/cve-2025-2703
https://www.sonarsource.com/blog/data-in-danger-detecting-xss-in-grafana-cve-2025-2703/